This is a quick post to list the steps about generating the Customer Signed Certificate by using openssl on Linux platform (Take CentOS as an example).
The basic knowledge of CA can be referenced at below Wiki page:
- Step 1: Create a customer folder to store the customer private key, CSR and certificates.
cd /etc/pki/tls/ mkdir customercert cd customercert
- Step 2: Generate an openssl.cnf file.
Edit the openssl.cnf as per below example. In this example, the Subject Alternative Names (IP and host short-name) are also included.
[ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] countryName = AU stateOrProvinceName = QLD localityName = Brisbane organizationName = MyCompany Inc. commonName = TestServer01.mycompany.com.au [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = TestServer01 DNS.2 = 10.196.10.10
Save the openssl.cnf file.
- Step 3: Generate the CSR (Certificate Signing Request) and private key
openssl req -out TestServer01.csr -newkey rsa:2048 -nodes -keyout TestServer01private.key -config openssl.cnf
The expected output is as below:
Generating a 2048 bit RSA private key
writing new private key to ‘TestServer01private.key’
Two files (TestServer01.csr and TestServer01private.key) will be generated if command can run successfully. Before sending the CSR to CA admin in your organization, verify the key with below command.
openssl req -noout -text -in TestServer01.csr
- Step 4: CA Admin issue the certificate
Now, you can send CSR file (TestServer01.csr in this example) to CA admin, CA admin will utilize the CSR to issue the certificate file back. Once you received the certificate file, you can install the certificate with private key as per the instruction of application (web service for example).