Professional Documents
Culture Documents
Simple Things
Ink and Incapability
hexeract.wordpress.com/2009/04/16/60/
01/08/13
3 2 3 3 3 4 3 5 3 6 3 7 3 8 3 9 4 0 4 1
d i s t i n g u i s h e d _ n a m e = a c m e _ c a x 5 0 9 _ e x t e n s i o n s = r o o t _ c a _ e x t e n s i o n s [a c m e _ c a] c o m m o n N a m e = A C M ER o o tC A s t a t e O r P r o v i n c e N a m e = R a i n b o w c o u n t r y N a m e = D E e m a i l A d d r e s s = i n f o @ i n v a l i d . e x a m p l e o r g a n i z a t i o n a l U n i t N a m e = A C M ER o o tC A [r o o t _ c a _ e x t e n s i o n s] b a s i c C o n s t r a i n t s = C A : t r u e
3. Create the certificate authority key and certificate For some odd reason you can not hit return accepting default values, reenter one of them 1 2 3 4
$m y p a s s w d = $ ( d di f = / d e v / u r a n d o mi b s = 1 0 2 4c o u n t = 1 2 & a m p ; g t ; / d e v / n u l l| $e c h o$ m y p a s s w d& a m p ; g t ; c a . k e y . p a s s p h r a s e $o p e n s s lg e n r s ad e s 3p a s s o u tp a s s : $ m y p a s s w do u tc a . k e y4 0 9 6 $o p e n s s lr e qn e wx 5 0 9d a y s3 6 5 0k e yc a . k e yo u tc a . c r tc o n f i gc a .
4. Create a certificate signing request (for our CA to sign) Preferably, you do this in another directory as not to to get confused. Enter all data as requested, with the common name (CN) being signme.com 1 2 3 4 5 6
$m y c n = s i g n m e . c o m $m y p a s s w d = $ ( d di f = / d e v / u r a n d o mi b s = 1 0 2 4c o u n t = 1 2 & a m p ; g t ; / d e v / n u l l| $e c h o$ m y p a s s w d& a m p ; g t ; $ m y c n . k e y . p a s s p h r a s e $o p e n s s lg e n r s ad e s 3p a s s o u tp a s s : $ m y p a s s w do u t$ m y c n . k e y1 0 2 4 $o p e n s s lr s ai n$ m y c n . k e yo u t$ m y c n . k e y . d e c r y p t e dp a s s i np a s s : $ m y p a $o p e n s s lr e qn e wk e y$ m y c n . k e yo u t$ m y c n . c s rp a s s i np a s s : $ m y p a s s w d
5. Sign the certificate signing request Now the example certificate signing request can be signed by the newly created certificate authority 1 2 3
$n a m e = s i g n m e . c o m $p a s s w o r d = $ ( c a tc a . k e y . p a s s p h r a s e ) $o p e n s s lc ac o n f i g. / c a . c o n f i gp a s s i np a s s : $ p a s s w o r do u t$ n a m e . c r t
6. What the heck are all these files in the CA directory ca.config the certificate authority configuration file ca.key the certificate authority key file ca.key.passphrase the certificate authority key file passphrase ca.crt the certificate authority certificate (selfsigned) ca.db.index keeps track of which certificate signing requests you have signed ca.db.index.attr keeps a configuration item for ca.db.index
hexeract.wordpress.com/2009/04/16/60/ 2/4
01/08/13
ca.db.serial serial number iterator signme.com.crt the signed certificate signme.com.csr the certificate signing request 01.pem (same as signme.crt as this was the first signed certificate) 7. Verify that the root certificate authority has actually signed the signing certificate request 1 $o p e n s s lv e r i f yC A f i l ec a . c r ts i g n m e . c o m . c r t
$p a s s w o r d = $ ( c a tc a . k e y . p a s s p h r a s e ) $o p e n s s lc ag e n c r lc o n f i g. / c a . c o n f i gp a s s i np a s s : $ p a s s w o r dk e y f i l
9. Revoke a certificate signed by the root certificate authority This will put the bad certificate into the certificate revokation list of the root certificate authority 1 2
$o p e n s s lc ac o n f i g. / c a . c o n f i gp a s s i np a s s : $ p a s s w o r dr e v o k es i g n m e . $p a s s w o r d = $ ( c a tc a . k e y . p a s s p h r a s e )
That was it. You can now run your own certificate authority About these ads
Sponsored by O2
00:00
1 Comment
Jump to comment form | comment rss [?] | trackback uri [?] Anonymous 6.9.09 / 1pm Dont forget to update your crl after revoking a certificate in step 9 (repeat step 8). Reply
hexeract.wordpress.com/2009/04/16/60/ 3/4
01/08/13
hexeract.wordpress.com/2009/04/16/60/
4/4