blob: 7b12f7b3046965c1521faa5d64ee6737a3540876 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
README
http://groups.google.com/groups?hl=en&threadm=9jlbt7%243141%241%40FreeBSD.csie.NCTU.edu.tw&rnum=20&prev=/groups%3Fq%3Dopenssl%2Bx509%2Bcertificates%2Bchain%26start%3D10%26hl%3Den%26selm%3D9jlbt7%25243141%25241%2540FreeBSD.csie.NCTU.edu.tw%26rnum%3D20
http://www.post1.com/home/ngps/m2/howto.ca.html
Commands:
(0) create new CA and modify the openssl.cnf file
to point to it
> CA.pl -newca
(1) a self-signed des3 root ca cert, using
> openssl genrsa -des3 -out ca.key
> openssl req -new -key ca.key -out ca.csr
> openssl x509 -req -signkey ca.key -out ca.crt -in ca.csr
verify ca.crt
> openssl x509 -text -in ca.crt
(2) a second ca cert, signed by the first ca, using
> openssl genrsa -des3 -out ca2.key
> openssl req -new -key ca2.key -out ca2.csr
> openssl ca -cert ca.crt -keyfile ca.key -out ca2.crt -infiles ca2.csr
verify ca2.crt
> openssl x509 -text -in ca2.crt
> openssl verify -CAfile ca.crt ca2.crt
(3) a user cert using
> openssl genrsa -des3 -out user.key
> openssl req -new -key user.key -out user.csr
> openssl ca -cert ca2.crt -keyfile ca2.key -out user.crt -infiles user.csr
verify user.crt
> openssl x509 -text -in ca3.crt
> openssl verify -CAfile ca.crt -untrusted ca2.crt user.crt
|