Keyid:34:66:39:7C:EC:8B:70:80:9E:6F:95:89:DB:B5:B9:B8:D8:F8:AF:A4ĭigital Signature, Non Repudiation, Key Encipherment, Certificate SignĭNS:, DNS:DNS:, DNS:ftp.example. OpenSSL is a widely used and a well known open source tool for generating self signed certificates, private keys, CSRs (Certificate Signing Requests) and for converting certificates from one format to another. Issuer: C=US, ST=MD, L=Baltimore, O=Test CA, Limited, CN=Test Before: Feb 1 05:23:05 2014 GMT Signature Algorithm: sha256WithRSAEncryption What you are about to enter is what is called a Distinguished Name or a DN.įinally, examine the certificate: $ openssl x509 -in certificate.pem -text -noout You are about to be asked to enter information that will be incorporated $ openssl req -new -x509 -key private.key -sha256 -out certificate.pem -days 730 Third, generate your self-signed certificate: $ openssl genrsa -out private.key 3072 The other ways to copy the DNS names are broken. This ensures the SANs are copied into the certificate. Find this line under the CA_default section: # Extension copying option: use with caution.Īnd change it to: # Extension copying option: use with caution. In the end, the IETF ( RFC 5280), browsers and CAs run fast and loose, so it probably does not matter what key usage you provide. It's a useless bit thought up by computer science guys/gals who wanted to be lawyers. Search for the exact string : subjectAltName = might change keyUsage to the following under : keyUsage = digitalSignature, keyEnciphermentĭigitalSignature and keyEncipherment are standard fare for a server certificate. Next, add the following to the existing section. There are no existing alternate_names sections, so it does not matter where you add it. Add an alternate_names section to openssl.cnf with the names you want to use. You can determine which openssl.cnf is being used by adding a spurious XXX to the file and see if openssl chokes.įirst, modify the req parameters. On recent Debian systems it is located at /etc/ssl/openssl.cnf On my Debian system, /usr/lib/ssl/openssl.cnf is used by the built-in openssl program. It is likely located in /usr/lib/ssl/openssl.cnf: $ find /usr/lib -name openssl.cnf You might be able to do it with only command line options, but I don't do it that way.įind your openssl.cnf file. It's a three-step process, and it involves modifying the openssl.cnf file. Can someone help me with the exact syntax?
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |