Create a Signing Authority
mkdir -p /etc/psc/CA
cd /etc/psc/CA
mkdir -p certs private
chmod 700 private
echo 01 > serial
touch index.txt
Create a file openssl.cnf in the /etc/psc/CA directory
vim openssl.cnf
Copy following text inside this conf file (Copy the text b/w the line. Don’t copy lines)
——————————————————————————————————————————————————————
[ ca ]
default_ca = OrchCA
[ OrchCA ]
dir = /etc/psc/CA
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial
default_crl_days = 30
default_days = 1825
default_md = sha256
policy = OrchCA_policy
x509_extensions = certificate_extensions
[ OrchCA_policy ]
commonName = supplied
stateOrProvinceName = optional
countryName = optional
emailAddress = optional
organizationName = optional
organizationalUnitName = optional
[ certificate_extensions ]
basicConstraints = CA:false
[ req ]
default_bits = 2048
default_keyfile = /etc/psc/CA/private/cakey.pem
default_md = sha256
prompt = yes
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
[ root_ca_distinguished_name ]
commonName = hostname
[ root_ca_extensions ]
basicConstraints = CA:true
keyUsage = keyCertSign, cRLSign
[ client_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ server_ca_extensions ]
basicConstraints = CA:false
keyUsage = keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
——————————————————————————————————————————————————————
Generate RSA Key and Certificate for our Certificate Authority
openssl req -x509 -config /etc/psc/CA/openssl.cnf -newkey rsa:2048 -days 365 -out /etc/psc/CA/cacert.pem -outform PEM -subj /CN=OrchCA/ -nodes
openssl x509 -in /etc/psc/CA/cacert.pem -out /etc/psc/CA/cacert.cer -outform DER
Root certificate (PEM format) = cacert.pem
Root certificate (DER format) = cacert.pem
Certificate Authority Key = /etc/psc/CA/private/cakey.pem
Generate Certificate and Key for the Server
cd /etc/psc/
mkdir server
cd server
openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=$(hostname)/O=server/ -nodes
cd ../CA
openssl ca -config openssl.cnf -in ../server/req.pem -out ../server/cert.pem -notext -batch -extensions server_ca_extensions
cd ../server
openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:MySecretPassword
Generate Certificate and Key for the Client
cd /etc/psc/
mkdir client
cd client
openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=$(hostname)/O=client/ -nodes
cd ../CA
openssl ca -config openssl.cnf -in ../client/req.pem -out ../client/cert.pem -notext -batch -extensions client_ca_extensions
cd ../client
openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:MySecretPassword
