PKI Certificate Tutorials - Herong's Tutorial Examples - v1.12, by Herong Yang
"openssl x509 -CA ..." - CA Signing Certificate
This section describes the 'openssl req -x509' command, which allows you to generate self-signed certificate from a CSR, an existing key pair, or an internally generated key pair.
The "openssl x509 -CA ..." command allows you to act as CA (Certificate Authority) to sign a CSR into a certificate as shown in the this tutorial:
1. Generate a self-signed certificate to be used as a CA.
herong$ openssl req -x509 -out ca-cert.pem \ -newkey ec -pkeyopt ec_paramgen_curve:P-384 -keyout ca-key.pem Generating an EC private key writing new private key to 'key.pem' Enter PEM pass phrase: TopSecret Verifying - Enter PEM pass phrase: TopSecret ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:ZZ State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]:. Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:ZZ Root CA Email Address []:
2. Look at information in the CA certificate.
herong$ openssl x509 -in ca-cert.pem -noout \ -subject -issuer -ext basicConstraints subject=C = ZZ, CN = ZZ Root CA issuer=C = ZZ, CN = ZZ Root CA X509v3 Basic Constraints: critical CA:TRUE
3. Look at information in the CSR received.
herong$ openssl req -in csr.pem -subject -noout subject=C = ZZ, L = My City, CN = Herong Yang
4. Sign the CSR into a certificate using ca-cert.pem and ca-key.pem.
heron$ openssl x509 -req -in csr.pem -out cert.pem \ -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial Signature ok subject=C = ZZ, L = My City, CN = Herong Yang Getting CA Private Key Enter pass phrase for key.pem: TopSecret
5. Look at information in the certificate.
herong$ openssl x509 -in cert.pem -text -noout Certificate: Data: Version: 1 (0x0) Serial Number: 0f:00:6b:4c:69:47:e4:5d:39:88:3e:99:ad:e9:ab:ea:9a:6c:55:69 Signature Algorithm: ecdsa-with-SHA256 Issuer: C = ZZ, CN = ZZ Root CA Validity Not Before: Nov 18 22:01:43 2024 GMT Not After : Dec 18 22:01:43 2024 GMT Subject: C = ZZ, L = My City, CN = Herong Yang Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) pub: 04:76:66:7b:d2:f6:c3:64:35:23:e2:63:d7:d1:9a: f8:e9:f5:7a:79:ac:82:0a:93:10:3d:f5:ce:b6:8b: ... c6:50:ea:f9:68:85:41 ASN1 OID: secp384r1 NIST CURVE: P-384 Signature Algorithm: ecdsa-with-SHA256 30:65:02:30:04:d8:b1:c7:f2:58:9a:ce:dc:bc:fd:a9:55:7e: 5e:b9:57:d0:24:eb:50:6a:97:c0:ea:dc:12:52:da:33:e1:a1: ... 7c:fa:37:05:ee:e9:32:f2:bb:cd:96:24:0e
Cool! I have successfully completed the entire certificate generation process using "openssl" commands: from private/public key generation, to CSR generation, to self-signed CA certificate generation, to CSR signing.
The final output, cert.pem, binds my name to my public key and bears a digital signature issued by a CA. But it contains only minimum information and not suitable for any PKI application.
In order generate a useable certificate, you need to use the "openssl ca" command as shown in next chapter.
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of PKI Certificate
►OpenSSL - Cryptography Toolkit
"openssl genpkey" - Generate Private Key
"openssl genpkey -algorithm RSA" - RSA Private Key
"openssl genpkey -algorithm EC" - EC Private Key
"openssl req" - CSR (Certificate Signing Request)
"openssl req -new" - Generate CSR from Key
"openssl req -newkey ..." - Generate Key and CSR
"openssl req -x509" - Generate Self-Signed Certificate
"openssl x509" - X.509 Certificate Command
►"openssl x509 -CA ..." - CA Signing Certificate
"openssl ca" - CA (Certificate Authority) Tool
Java "keytool" Commands and KeyStore Files
PKCS12 Certificate Bundle File