Build Certificates

From wiki.network-crawler.de
Jump to: navigation, search

First build the CA:

cd /etc/ssl/

Modify CA.sh:

vi /usr/share/ssl/misc/CA.sh

/usr/share/ssl/misc/CA.sh -newca

Modify xpextensions:

vi xpextensions

Example:

[ xpclient_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
openssl req -new -nodes -keyout server_key.pem
 -out server_req.pem -days 730 -config ./openssl.cnf

openssl ca -config ./openssl.cnf -policy policy_anything \
 -out server_cert.pem -extensions xpserver_ext \
 -extfile ./xpextensions -infiles ./server_req.pem

Open your signed certificate with the text editor
of your choice and delete everything before the line:


BEGIN CERTIFICATE-----.

Concatenate it and your key into a single file, like this:


cat server_key.pem server_cert.pem > server_keycert.pem

A little Script to create the certificates (call with sh client.sh ):

#! /bin/bash
name=$1

echo `openssl req -new -keyout "$name"_key.pem -out "$name"_req.pem \
 -days 730 -config ./openssl.cnf`
echo `openssl ca -config ./openssl.cnf -policy policy_anything \
 -out "$name"_cert.pem -extensions xpclient_ext -extfile \
 ./xpextensions -infiles ./"$name"_req.pem`

echo `grep -i "BEGIN" -A20 "$name"_cert.pem > "$name"_cert_stripped.pem`

echo `openssl pkcs12 -export -in "$name"_cert_stripped.pem \
 -inkey "$name"_key.pem -out "$name"_cert.p12 -clcerts`

For Reference see:

http://www.linuxjournal.com/article/8095
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00804b976b.shtml
http://www.jacco2.dds.nl/networking/crtimprt.html