Create and sign an X509 certificate request

David Hausheer

Web hausheer.osola.com

Create key pair and CSR (certificate signing request)

umask 0377
openssl req -new -config myserver.cnf -keyout myserver.key -out myserver.csr

Example myserver.conf:

[ req ]
default_bits = 2048
prompt = no
encrypt_key = no
default_md = sha1
distinguished_name = dn

[ dn ]
C = CH
O = Universitaet Zuerich
OU = Communication Systems Group
0.CN = csg.uzh.ch
1.CN = www.csg.uzh.ch
1.CN = mail.csg.uzh.ch

Sign a CSR

mkdir demoCA
mkdir demoCA/private
mkdir demoCA/certs
mkdir demoCA/newcerts
echo "01" > demoCA/serial
touch demoCA/index.txt
cp cacert.pem demoCA/cacert.pem
cp cakey.pem demoCA/private/cakey.pem
cp /etc/ssl/openssl.cnf openssl.cnf

Add the following to openssl.cnf in section [ usr_cert ] (will be used as X509v3 extensions):

subjectAltName=DNS:host1.csg.uzh.ch, DNS:host2.csg.uzh.ch

(An alternative is to use the -extfile option)

This will generate the certificate and overwrite the subject:

openssl ca -config openssl.cnf -subj "/C=CH/O=Universitaet Zuerich/OU=Communication Systems Group/CN=host.csg.uzh.ch" -policy policy_anything -out myserver.pem -infiles myserver.csr

Related topics

• Creating a self-signed X509 server certificate and a PKCS12 client certificate with openssl
• Mount filesystems over ssh
• Create an IPSEC tunnel in Debian for tunneling NFS and other traffic

---

This document was last modified on Friday, 30-Nov-2007 16:17:57 CET
© 1999 - 2010 David Hausheer. All rights reserved.