Skip to main content
Unix & Linux

Return to Answer

Commonmark migration
Source Link
Community Bot
Community Bot
  • 1

-out filename

 

This specifies the output filename to write to or standard output by default.

-keyout filename

 

This gives the filename to write the newly created private key to. If this option is not specified then the filename present in the configuration file is used.

-out filename

 

This specifies the output filename to write to or standard output by default.

-keyout filename

 

This gives the filename to write the newly created private key to. If this option is not specified then the filename present in the configuration file is used.

-out filename

This specifies the output filename to write to or standard output by default.

-keyout filename

This gives the filename to write the newly created private key to. If this option is not specified then the filename present in the configuration file is used.

added 1997 characters in body
Source Link
garethTheRed
garethTheRed
  • 35k
  • 4
  • 101
  • 106

The structure you've configured in the .conf file will work when you use the openssl ca command to sign a request from a subordinate (CA or end-entity). However to get it to the stage where you can sign certificates, it needs the CA certificate and key in place. Your openssl req command generates those. To get sensible values in the CA certificate you need to add more to your .conf file.

Something similar to the following should get you started:

[ req ]

# Don't prompt for the DN, use configured values instead
# This saves having to type in your DN each time.

prompt             = no
string_mask        = default
distinguished_name = req_dn

# The size of the keys in bits:
default_bits       = 4096

[ req_dn ]

countryName            = GB
stateOrProvinceName    = Somewhere
organizationName       = Example
organizationalUnitName = PKI
commonName             = Example Test Root CA

[ ca_ext ]

# Extensions added to the request

basicConstraints =  critical, CA:TRUE
keyUsage =          critical, keyCertSign, cRLSign

Create the CA certificate with a slightly modified version of your previous command:

openssl req -x509 -newkey rsa:4096 -keyout /home/will/myCA/private/cakey.pem -out /home/will/myCA/cacert.pem -days 3650 -nodes -config <path-to>/openssl.cnf -extensions ca_ext

Note: you only need the -config option if you're not using/editing the default config file.

If everything works, you'll have the correct certificate and key in place for your CA config above. Before you can sign any certificates with the openssl ca command, you'll need to make sure index.txt exists and create serial with an initial serial number (such as 01).

OpenSSL is the Swiss-Army knife of crypto therefore has many options. Unfortunately, reading the man pages is the only way to get to understand it.

The structure you've configured in the .conf file will work when you use the openssl ca command to sign a request from a subordinate (CA or end-entity). However to get it to the stage where you can sign certificates, it needs the CA certificate and key in place. Your openssl req command generates those. To get sensible values in the CA certificate you need to add more to your .conf file.

Something similar to the following should get you started:

[ req ]

# Don't prompt for the DN, use configured values instead
# This saves having to type in your DN each time.

prompt             = no
string_mask        = default
distinguished_name = req_dn

# The size of the keys in bits:
default_bits       = 4096

[ req_dn ]

countryName            = GB
stateOrProvinceName    = Somewhere
organizationName       = Example
organizationalUnitName = PKI
commonName             = Example Test Root CA

[ ca_ext ]

# Extensions added to the request

basicConstraints =  critical, CA:TRUE
keyUsage =          critical, keyCertSign, cRLSign

Create the CA certificate with a slightly modified version of your previous command:

openssl req -x509 -newkey rsa:4096 -keyout /home/will/myCA/private/cakey.pem -out /home/will/myCA/cacert.pem -days 3650 -nodes -config <path-to>/openssl.cnf -extensions ca_ext

Note: you only need the -config option if you're not using/editing the default config file.

If everything works, you'll have the correct certificate and key in place for your CA config above. Before you can sign any certificates with the openssl ca command, you'll need to make sure index.txt exists and create serial with an initial serial number (such as 01).

OpenSSL is the Swiss-Army knife of crypto therefore has many options. Unfortunately, reading the man pages is the only way to get to understand it.

Source Link
garethTheRed
garethTheRed
  • 35k
  • 4
  • 101
  • 106

The files pointed to by [ CA_defaults ] are used internally by the openssl ca command.

If you look inside the new_certs_dir you would see all certificates signed by the CA when using the openssl ca command, with filenames consisting of the certificate serial number with .pem appended.

As you're using openssl req those files aren't used.

The man page for the req command has this to say:

-out filename

This specifies the output filename to write to or standard output by default.

It will therefore write to the filename given, and located in the directory from which you're running the command; or it will write to standard output.

-keyout filename

This gives the filename to write the newly created private key to. If this option is not specified then the filename present in the configuration file is used.

This will write to the filename given, again located in the directory from which you're running the command; or it will write to the filename given in the default_keyfile option (under [ req ] of course).

In both cases, you could give the absolute path to the files in your commands if you don't want them placed in the current directory.