Prerequisite: Set up OpenSSL

The procedures in this section assume that you have installed and set up the OpenSSL toolkit.

If you are using a commercial root CA, you may not need to install the OpenSSL toolkit. Contact your commercial root CA for details on how to obtain a signed certificate. They may provide you with their own procedure for obtaining a signed certificate.
To install and set up OpenSSL:
  1. Install the OpenSSL toolkit:
    On Windows

    The OpenSSL toolkit used in this section was downloaded from the following URL:

    https://www.openssl.org/

    Download and extract the latest version of the toolkit. The procedures in this section assume that the toolkit was extracted to the C:\openssl directory.
    On Linux
    1. Run the following command:
      yum install openssl
    2. Follow the instructions provided.
    3. When OpenSSL is installed, create the openssl directory in your home directory.
      For example:
      /home/cmsadmin/openssl
  2. Open a command prompt and go to the openssl directory.
    For example:
    (Windows) cd C:\openssl
    (Linux) cd /home/cmsadmin/openssl
  3. In the openssl directory, create the openssl.cnf file and add the following content:
    #
    # OpenSSL configuration file.
    #
    
    # Establish working directory.
    
    dir   = ./CA
    
    [ ca ]
    default_ca  = CA_default
    
    [ CA_default ]
    serial   = $dir/serial
    database  = $dir/index.txt
    new_certs_dir  = $dir/newcerts
    certificate  = $dir/newcerts/textml_root_cert.pem
    private_key  = $dir/private/textml_root_privatekey.pem
    default_days  = 365
    default_md  = md5
    preserve  = no
    email_in_dn  = no
    nameopt   = default_ca
    certopt   = default_ca
    policy   = policy_match
    
    [ policy_match ]
    countryName  = match
    stateOrProvinceName = match
    organizationName = match
    organizationalUnitName = optional
    commonName  = supplied
    emailAddress  = optional
    
    [ req ]
    default_bits  = 1024   # Size of keys
    default_keyfile  = key.pem  # name of generated keys
    default_md  = md5   # message digest algorithm
    string_mask  = nombstr  # permitted characters
    distinguished_name = req_distinguished_name
    req_extensions  = v3_req
    
    [ req_distinguished_name ]
    # Variable name    Prompt string
    #----------------------   ----------------------------------
    0.organizationName = Organization Name (company)
    organizationalUnitName = Organizational Unit Name (department, division)
    emailAddress  = Email Address
    emailAddress_max = 40
    localityName  = Locality Name (city, district)
    stateOrProvinceName = State or Province Name (full name)
    countryName  = Country Name (2 letter code)
    countryName_min  = 2
    countryName_max  = 2
    commonName  = Common Name (hostname, IP, or your name)
    commonName_max  = 64
    
    # Default values for the above, for consistency and less typing.
    # Variable name     Value
    #------------------------------   ------------------------------
    0.organizationName_default = Company name
    localityName_default  = City name
    stateOrProvinceName_default = state_province_name
    countryName_default  = CA
    
    [ v3_ca ]
    basicConstraints = CA:TRUE
    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid:always,issuer:always
    
    [ v3_req ]
    basicConstraints = CA:FALSE
    subjectKeyIdentifier = hash
  4. In the openssl directory, create the CA directory.
    This directory will contain the certificates, private keys, and database.

    For example:

    mkdir CA
  5. In the CA directory, create the following two directories:
    OptionDescription
    newcerts Will contain the certificates
    private Will contain the private keys
    For example:
    cd CA
    mkdir newcerts
    mkdir private
  6. In the CA directory, create an empty index.txt file.
    This file will contain the database of certificates.
  7. In the CA directory, create a file called serial that contains the string 01, as follows:
    echo 01 > serial
    This is required to name the new generated certificates.

You are now ready to obtain a signed certificate.