root@linux# mkdir /root/ca root@linux# cd /root/ca
root@linux# openssl req -new -x509 -newkey rsa:2048 -keyout cakey.pem -out cacert.pem -days 3650
Es sind nun die Dateien cacert.pem und cakey.pem vorhanden.
root@linux# chmod 600 cakey.pem
* Testen, ob Schlüssel mit Password geöffnet werden kann:
root@linux# openssl rsa -in cakey.pem -noout -text
root@linux# openssl genrsa -out serverkey.pem -aes128 2048 -days 3650
root@linux# openssl rsa -in serverkey.pem -out serverkey.pem
root@linux# openssl req -new -key serverkey.pem -out req.pem -nodes
Mittlerweile sind vier Dateien im Verzeichnis:
root@linux# ls cacert.pem cakey.pem req.pem serverkey.pem
dir = . # Where everything is kept new_certs_dir = $dir # default place for new certs private_key = $dir/cakey.pem # The private key RANDFILE = $dir/.rand # private random number file default_days = 3650 # how long to certify for
root@linux# echo 01 > serial root@linux# touch index.txt
root@linux# openssl ca -in req.pem -notext -out servercert.pem
Kommando | Erläuterung |
---|---|
req | creates and processes certificate requests in PKCS#10 format Create self signed certificates for use as root CAs |
rsa | processes / convert RSA keys |
genrsa | generates an RSA private key |
ca | minimal CA application. Sign certificate requests generate CRLs maintains a text database of issued certificates / statuses |