
Friday, November 30, 2012

Create Certificate Using Open SSL, PKCS12, CA Root Signature

Download Windows Version of OpenSSL From

For Linux Open SSL use following path:

1) Install Open SSL

2) After installation browse to OpenSSL location path (In windows C:\Program Files (x86)\GnuWin32\bin)

3) Open same path in Command Prompt.

4) Generate RSA Private Key using following command.

cmd> openssl genrsa -out iamidm.key 4096 -des3

Following Output should appear after running the command:

Loading 'screen' into random state - done Generating RSA private key, 4096 bit long modulus
......................................................................................................++e is 65537 (0x10001)

Key should get created with the name iamidm.key in the location where you are running command. 

5) Generate Root Certificate using following Command:

cmd>openssl req -new -config "C:\Program Files (x86)\GnuWin32\share\openssl.cnf" -x509 -days 365 -key iamidm.key -out iamidm.crt


Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:ANDHRA
Locality Name (eg, city) []:HYDERABAD
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IAMIDM
Organizational Unit Name (eg, section) []:IAM
Common Name (eg, YOUR name) []:RAVITEJA

Certificate will be generated with 1 year validity(as we have given 365 days) and with the name iamidm.crt

6) Create Subordinate CA that is used for signature.

Generate another RSA Key.

cmd>openssl genrsa -out iamidm_sub.key 4096 -des3

Loading 'screen' into random state - done
Generating RSA private key, 4096 bit long modulus
e is 65537 (0x10001)

Check output file that would have generate with the name iamidm_sub.key

Generate another certificate using above key :

cmd> openssl req -new -config "C:\Program Files (x86)\GnuWin32\share\openssl.cnf"  -key iamidm_sub.key -out iamidm_sub.csr

7) Generate Certificate now:

cmd>openssl x509 -req -days 365 -in iamidm_sub.csr -CA iamidm.crt -CAkey iamidm.key -set_serial 01 -out server.crt


Loading 'screen' into random state - done
Signature ok
Getting CA Private Key

Now server.crt should get generated.

Package the keys and certs in a pkcs12 file

cmd>openssl pkcs12 -export -out iamidm_sub.p12 inkey iamidm_sub.key -in server.crt -chain -CAfile iamidm.crt

Loading 'screen' into random state - done

Enter Export Password:
Verifying - Enter Export Password:

iamidm_sub.p12 will get generated. 

Thanks !!

1 comment: