Prerequisite: Set up OpenSSL
The procedures in this section assume that you have installed and set up the OpenSSL toolkit.
About this task
Important: If you are using a commercial root CA, you
may not need to install the OpenSSL toolkit. Contact your commercial root CA for
details on how to obtain a signed certificate. They may provide you with an
alternate procedure for obtaining a signed certificate.
To install and set up OpenSSL:
Procedure
-
Install the OpenSSL toolkit by choosing one of the following actions:
Windows
Download and extract the latest version of the toolkit from the following URL: https://www.openssl.org/. This task assumes you extracted the toolkit to the
C:\openssl
directory.Linux
- Run the following
command:
yum install openssl
- Follow the install instructions.
- When OpenSSL is installed, create the
openssl
directory in your home directory.For example:/home/cmsadmin/openssl
- Run the following
command:
-
Open a command prompt and go to the
openssl
directory.For example:(Windows) cd C:\openssl (Linux) cd /home/cmsadmin/openssl
-
In the
openssl
directory, create the openssl.cnf file and add the following content:# # OpenSSL configuration file. # # Establish working directory. dir = ./CA [ ca ] default_ca = CA_default [ CA_default ] serial = $dir/serial database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/newcerts/textml_root_cert.pem private_key = $dir/private/textml_root_privatekey.pem default_days = 365 default_md = md5 preserve = no email_in_dn = no nameopt = default_ca certopt = default_ca policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 1024 # Size of keys default_keyfile = key.pem # name of generated keys default_md = md5 # message digest algorithm string_mask = nombstr # permitted characters distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] # Variable name Prompt string #---------------------- ---------------------------------- 0.organizationName = Organization Name (company) organizationalUnitName = Organizational Unit Name (department, division) emailAddress = Email Address emailAddress_max = 40 localityName = Locality Name (city, district) stateOrProvinceName = State or Province Name (full name) countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 commonName = Common Name (hostname, IP, or your name) commonName_max = 64 # Default values for the above, for consistency and less typing. # Variable name Value #------------------------------ ------------------------------ 0.organizationName_default = Company name localityName_default = City name stateOrProvinceName_default = state_province_name countryName_default = CA [ v3_ca ] basicConstraints = CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always [ v3_req ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash
-
In the
openssl
directory, create theCA
directory.This directory will contain the certificates, private keys, and database.For example:mkdir CA
-
In the
CA
directory, create two directories.newcerts
to contain the certificatesprivate
to contain the private keys
For example:cd CA mkdir newcerts mkdir private
-
In the
CA
directory, create an empty index.txt file to contain the database of certificates. -
In the
CA
directory, create a file called serial that contains the string 01, since it is required to name the new generated certificates.echo 01 > serial