|
OpenSSL - Signing Certificates from Others
Part:
1
2
This chapter describes:
-
Why Certificates Need to Be Signed by CAs?
-
Generating a Certificate Signing Request for Your Own Public Key
-
Viewing Components of Certificate Signing Request
-
Signing a Certificate Signing Request
Why Certificates Need to Be Signed by CAs?
In the previous chapter, we learned how to put your own public key in
a certificate and sign it by your own private key to make it as a self-signed
certificate.
Of course, you can send your self-signed certificate to your communication
partner and start to use it to encrypt the communication data.
However, this only works if your communication partner knows you and trusts
your digital signature.
In the case where you communication partner can not trust you directly, what you
can do is to send your public key to a certificate authority (CA) and ask them to sign it
for you. To do this, you need to put your public key into a certificate signing request
(CSR), and mail it to a CA. The CA will verify the request and put your public key
in a certificate and sign it with CA's private key.
When your partner receives your public key signed by a CA, he can validate the signature
with the CA's public key. If the validation is ok, he can then trust your public key.
Here is a simple diagram that illustrates the certificate signing and validation process:
Your public key
You ---- Certificate signing request ---> CA
| |
| |Sign
| |
Your public key + CA signature | v
You <----- Certificate signed by CA --------
| |
|Send |Send
| |
v CA's public key v
Partner <-- Self-signed certificate ------
|
|Verify your certificate with CA's public key
|to trust your public key in the certificate
|
v
OK
Generating a Certificate Signing Request for Your Own Public Key
In order to send your public key to a CA for signing, you need to put the public key
in a file called certificate signing request (CSR). Here is how to use the "req"
command to do this:
>openssl req -new -key herong_rsa_des.key -out herong.csr
-config openssl.cnf
Enter pass phrase for herong_rsa_des.key:
You are about to be asked to enter information that will be incorp...
into your certificate request.
What you are about to enter is what is called a Distinguished Name...
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:CN
State or Province Name (full name) []:PN
Locality Name (eg, city) []:LN
Organization Name (eg, company) []:ON
Organizational Unit Name (eg, section) []:UN
Common Name (eg, YOUR name) []:Herong Yang
Email Address []:.
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:myreq
An optional company name []:
>type herong.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIBETCBvAIBADBXMQswCQYDVQQGEwJDTjELMAkGA1UECBMCUE4xCzAJBgNVBAcT
AkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDASBgNVBAMTC0hlcm9uZyBZ
YW5nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKnmGcbuiAGG2XKek5LbVwF7AoT8
HuNXXip7KyWevbrFlSxJWSjfpmeGJo7/Nsw6hFwor28RyAy1wsW5BNYOXdECAwEA
AaAAMA0GCSqGSIb3DQEBBAUAA0EALE+d7H514HyQXu2CgwXYDvqZRngFLZFdGxQN
6AtEXXV+eC2c+URNBcmoF3oghJdPqZv7D1nZ7EBf20XSWzioQA==
-----END CERTIFICATE REQUEST-----
Note that the certificate is also saved in an encoded format called PEM.
(Continued on next part...)
Part:
1
2
| 