Prerequisite: Set up OpenSSL

The procedures in this section assume that you have installed and set up the OpenSSL toolkit.

Important: If you are using a commercial root CA, you may not need to install the OpenSSL toolkit. Contact your commercial root CA for details on how to obtain a signed certificate. They may provide you with an alternate procedure for obtaining a signed certificate.

To install and set up OpenSSL:

  1. Install the OpenSSL toolkit by choosing one of the following actions:

    Windows

    Download and extract the latest version of the toolkit from the following URL: https://www.openssl.org/. This task assumes you extracted the toolkit to the C:\openssl directory.

    Linux
    1. Run the following command:
      yum install openssl
    2. Follow the install instructions.
    3. When OpenSSL is installed, create the openssl directory in your home directory.
      For example:
      /home/cmsadmin/openssl
  2. Open a command prompt and go to the openssl directory.
    For example:
    (Windows) cd C:\openssl
(Linux) cd /home/cmsadmin/openssl
  3. In the openssl directory, create the openssl.cnf file and add the following content: 
    #
# OpenSSL configuration file.
#

# Establish working directory.

dir   = ./CA

[ ca ]
default_ca  = CA_default

[ CA_default ]
serial   = $dir/serial
database  = $dir/index.txt
new_certs_dir  = $dir/newcerts
certificate  = $dir/newcerts/textml_root_cert.pem
private_key  = $dir/private/textml_root_privatekey.pem
default_days  = 365
default_md  = md5
preserve  = no
email_in_dn  = no
nameopt   = default_ca
certopt   = default_ca
policy   = policy_match

[ policy_match ]
countryName  = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName  = supplied
emailAddress  = optional

[ req ]
default_bits  = 1024   # Size of keys
default_keyfile  = key.pem  # name of generated keys
default_md  = md5   # message digest algorithm
string_mask  = nombstr  # permitted characters
distinguished_name = req_distinguished_name
req_extensions  = v3_req

[ req_distinguished_name ]
# Variable name    Prompt string
#----------------------   ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress  = Email Address
emailAddress_max = 40
localityName  = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName  = Country Name (2 letter code)
countryName_min  = 2
countryName_max  = 2
commonName  = Common Name (hostname, IP, or your name)
commonName_max  = 64

# Default values for the above, for consistency and less typing.
# Variable name     Value
#------------------------------   ------------------------------
0.organizationName_default = Company name
localityName_default  = City name
stateOrProvinceName_default = state_province_name
countryName_default  = CA

[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always

[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
  4. In the openssl directory, create the CA directory.
    This directory will contain the certificates, private keys, and database.
    For example:
    mkdir CA
  5. In the CA directory, create two directories.
    • newcerts to contain the certificates
    • private to contain the private keys
    For example:
    cd CA
mkdir newcerts
mkdir private
  6. In the CA directory, create an empty index.txt file to contain the database of certificates.
  7. In the CA directory, create a file called serial that contains the string 01, since it is required to name the new generated certificates. 
    echo 01 > serial
You are now ready to obtain a signed certificate.