Cisco Systems UCSCPCIEBTG, 57712 manual Openssl genrsa -out CAkeyfilename, Example

Procedure

Command or Action

Step 1 openssl genrsa -out CA_keyfilename

keysize

Example:

# openssl genrsa -out ca.key 1024

Purpose

This command generates an RSA private key that will be used by the CA.

Note To allow the CA to access the key without user input, do not use the -des3 option for this command.

The specified file name contains an RSA key of the specified key size.

Step 2 openssl req -new -x509 -days numdays

-keyCA_keyfilename -outCA_certfilename

Example:

#openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Step 3 echo "nsCertType = server" > openssl.conf

Example:

#echo "nsCertType = server" > openssl.conf

This command generates a new self-signed certificate for the CA using the specified key. The certificate is valid for the specified period. The command prompts the user for additional certificate information.

The certificate server is an active CA.

This command adds a line to the OpenSSL configuration file to designate the certificate as a server-only certificate. This designation is a defense against a man-in-the-middle attack, in which an authorized client attempts to impersonate the server.

The OpenSSL configuration file openssl.conf contains the statement "nsCertType = server".

Step 4 openssl x509 -req -days numdays -in

CSR_filename -CACA_certfilename

-set_serial 04 -CAkey CA_keyfilename -out server_certfilename -extfile openssl.conf

Example:

#openssl x509 -req -days 365 -in csr.txt -CA ca.crt -set_serial 04 -CAkey ca.key -out myserver05.crt -extfile openssl.conf

This command directs the CA to use your CSR file to generate a server certificate.

Your server certificate is contained in the output file.