How do I set up my own certificate authority
I tried google on the above question, and the most recent thing I found was 7 years old. replacing the phrase used generates a lot of hits with a very poor signal to noise ratio.
I have OpenSSL (in the cygwin distribution), which is quite recent, but frankly its documentation leaves just about everything to be desired. I found pyca, but it has no documentation at all (and it is a couple years old).
I tried the steps appended below, but invariably the attempt to sign the certificates fails with an obscure error message about OpenSSL not finding one thing or another.
At this stage, I just don't care whether I do this using something in the J2SDK such as keytool or OpenSSL, as long as I can get it done. Or if there is some other opensource software tool I can use, terrific. This is primarily for the purpose of securing communications within an Intranet, and secondarily for signing applets and applications distributed through WebStart. If I am not mistaken, I'll need a certificate for each of my servers. Right?
If you know of an URL where this is well explained and illustrated, great. Give that to me.
Otherwise, a simple illustration (or a correction of what I've appended below) would be appreciated. I believe I understand what ought to be happening. It ought to be rather simple to do, but there are these irritating and frustrating minor details getting in the way. For example, the steps I show below seem simple, but everything appears to get messed up by some of the contents of openssl.cnf in 'usr/ssl', in the cygwin directory, and there is no explanation of how to set things up for the first time you use OpenSSL within Cygwin (or on unix for that matter).
Any assistance would be appreciated.
Thanks,
Ted
========failed attempt=====================
# Generation of Certificate Authority(CA)
openssl req -new -x509 -keyout cakey.pem -out cacert.pem -config /usr/ssl/openssl.cnf
# Create server request and key
openssl req -new -keyout server-key.pem -out server-req.pem -days 36502 -config /usr/ssl/openssl.cnf
# Remove the passphrase from the key
openssl rsa -in server-key.pem -out server-key.pem
# Sign server cert
openssl ca -policy policy_anything -out server-cert.pem -infiles server-req.pem -config /usr/ssl/openssl.cnf
# Create client request and key
openssl req -new -keyout client-key.pem -out client-req.pem -days 36502 -config /usr/ssl/openssl.cnf
# Remove a passphrase from the key
openssl rsa -in client-key.pem -out client-key.pem
# Sign client cert
openssl ca -policy policy_anything -out client-cert.pem -infiles client-req.pem -config /usr/ssl/openssl.cnf
The following works for me:
NB: Some of the output has been removed in the interests of privacy (this will not affect the outcome)
1. Create CA key and certificate
1.1 Create a new file called "serial" containing the value "01".
1.2 Create an empty file "index.txt"
1.3 Create a subdirectory "newcerts"
1.4 Execute.... create a key for your CA
[ben@localhost ca]$ openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
.....................................+++
..........................................................+++
e is 65537 (0x10001)
1.5 Execute... create a certificate for your own CA
[ben@localhost ca]$ openssl req -config ./openssl.cnf -new -x509 -key ca.key -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]:
County or State (full name) []:
City or town (eg, Hitchin) []:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
2. Create PK key and .csr
2.1 Execute...
[ben@localhost ca]$ keytool -genkey -alias PK
Enter keystore password: password
What is your first and last name?
[Unknown]:
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=, OU=, O=, L=, ST=, C=GB correct?
[no]: yes
Enter key password for <PK>
(RETURN if same as keystore password):
2.2 Create .csr
[ben@localhost ca]$ keytool -certreq -alias PK -file PK.csr
Enter keystore password: password
3. Sign PK with CA cert
[ben@localhost ca]$ openssl ca -config ./openssl.cnf -in PK.csr -out PK.pem -keyfile ca.key -days 365
Using configuration from ./openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Jan 5 19:48:33 2006 GMT
Not After : Jan 5 19:48:33 2007 GMT
Subject:
countryName = GB
stateOrProvinceName =
organizationName =
organizationalUnitName =
commonName =
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D6:2D:7E:71:77:9E:1A:BB:54:69:98:63:6A:6A:E2:BA:12:C4:D7:DD
X509v3 Authority Key Identifier:
keyid:92:7C:33:7C:EC:1D:76:C5:B8:F0:30:6D:10:12:40:E5:E7:EA:24:31
DirName:/C=GB/ST=/L=/O=/OU=/CN=/emailAddress=
serial:F0:D1:38:36:65:6D:71:D5
Certificate is to be certified until Jan 5 19:48:33 2007 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
4. Convert PK certificate into DER format
[ben@localhost ca]$ openssl x509 -in PK.pem -out PK.der -outform DER
5. Import CA certificate into keystores
[ben@localhost ca]$ keytool -import -alias ca -file cacert.pem
Enter keystore password: password
Owner: EMAILADDRESS=, CN=, OU=, O=, L=, ST=, C=GB
Issuer: EMAILADDRESS=, CN=, OU=, O=, L=, ST=, C=GB
Serial number: f0d13836656d71d5
Valid from: Thu Jan 05 19:41:09 GMT 2006 until: Fri Jan 05 19:41:09 GMT 2007
Certificate fingerprints:
MD5: AF:3D:8E:25:12:24:04:1F:40:70:BC:A0:9E:0E:44:84
SHA1: B8:E8:0B:A5:86:33:21:0C:B5:3C:6E:F2:DE:7B:31:0F:59:AE:21:E4
Trust this certificate? [no]: yes
Certificate was added to keystore
6. Import signed PK into keystore
[ben@localhost ca]$ keytool -import -alias pk -file PK.der
Enter keystore password: password
Certificate reply was installed in keystore
REF:
http://www.yorku.ca/dkha/docs/jsse_cert/jsse_cert.htm
http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#ownca
http://www.openssl.org/docs/apps/ca.html#
openssl.cnf:#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = . # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
#crlnumber = $dir/crlnumber # the current crl number must be
# commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
# we use PrintableString+UTF8String mask so if pure ASCII texts are used
# the resulting certificates are compatible with Netscape
string_mask = MASK:0x2002
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = GB
countryName_min = 2
countryName_max = 2
stateOrProvinceName = County or State (full name)
stateOrProvinceName_default =
localityName = City or town (eg, Hitchin)
localityName_default =
0.organizationName = Organization Name (eg, company)
0.organizationName_default =
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default =
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
Similar Messages
-
My dauighter and I share an Icloud account. How do I set up her own acount?
We bought our daughter an iPhone for her birthday and we share an iCloud account. How do I set up her own iCloud account?
Howdy, cdpaul!
In order to set up another iCloud account, you'll first need to remove the existing iCloud account from one of the devices. The following article (while it may appear unrelated, I'll quote the relevant bit) contains steps for removing the existing iCloud account.
iCloud: Features that work with one account at a time on iOS 5 and OS X Lion or later
http://support.apple.com/kb/TS4020
Tap Settings > Mail, Contacts, Calendars.
Delete the secondary account.
Tap the Back button.
Tap iCloud.
Delete the primary account.
Add the secondary account that you want to be your primary account.
Once the account is removed, you can set up a new iCloud account, as detailed in this article:
Set up iCloud website
http://www.apple.com/icloud/setup/ios.html
Cheers!
Allen -
I have put my daughter's iphone under my apple id, as after i entered the payment info there was a message saying she wasn't allowed an account (too young) how do i set up her own email account etc
You have to be 13yrs. of age or older to have an iTunes account. So, if you want your daughter to have her own account, what you need to do is create another Apple ID for yourself. You can create one here:
https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/wa/createAppleId
Must be a verified email address...you can get a free Gmail account first. Then, when setting up the iTunes account, redeem an itunes gift card rather than using a credit card. That way, she'll have her own account, which you can monitor, but its not associated with any credit card. -
My daughter and I share a computer and she already has an itune account. How do I set up a new separate account for my new iphone?
Here are your choices. I recommend method one:
http://support.apple.com/kb/HT1495 -
I have an I phone and my partner has just got one. How do we set up his own itunes account as it showed mine when we connected his phone to the computer for the first time. Thanks
How to use multiple iDevices with one computer
-
How do I set up an itunes account for my minor child?
We're getting an ipod touch for our son for his 8th birthday. How do I set up his own Itunes account so he can store his apps on his own account? (I'm getting a little overloaded with apps on my iphone.) Can I set it up under my itunes account or does he need a separate one?
Also, is there anyway to sync the Apps I already have on my itunes account onto his new ipod touch?
Thanks,
darcyfromdaytonI did this earlier this morning on my MacBook in iTunes.
Straight forward:
1. Creat an account with your child's birthday which is at least 13 years old.
2. Set the account up using your credit card.
3. Sign out and then back into your kids account.
4. Edit the payment by selecting NONE which will delete your credit card info.
5. Sign your kids account out of iTunes store.
6. Log into your iTunes store account and send your kid a iTunes Gift or set them up with an allowance.
7. Your kid can now make purchases on their iPhone, iPod, iPad without affecting your credit card or bank account.
Have fun! -
Set my wifes account up with mine. Now all our data combines. How do we set up her own account so we don't share all contacts and such??
There is only one solution. Each user must have their own separate user account. All of their respective data would be contained in their separate user accounts. This also means each will have a separate iTunes Library. If you all use the same third-party apps, then each will have to purchase their own copies under their own Apple IDs. Some data sharing is possible. See:
iTunes- How to open an alternate iTunes Library file or create a new one
iTunes- How to share music and video
iTunes- How to share music between different accounts on a single computer
iTunes- Setting up Home Sharing on your computer -
Certificate authority Server (Digitial Certificate)
Hi Everyone ,
We are planing to to buy a digital Certificate Manager, which we will be using to issue certificates to our all the cisco routers placed at ATM machines.
so that they can be authenticated and then to be connected via VPN to main branch.
I did some google and found many certificate authority issuing server , like , RSA , Digi-Cert , IBM and many more, i am just confused which one is best to implement here.
Any suggestion will be highly appriciated.If this is internal and you only need it for devices you controll you can create your own Certificate Authority on Linux/Windows
http://technet.microsoft.com/en-us/library/cc772393(v=ws.10).aspx (windows)
http://www.g-loaded.eu/2005/11/10/be-your-own-ca/ (linux - fedora) -
I have just bought a mini ipad for my daughter and used my apple id to set it up for her so she can keep all her apps and downloads of my ipad that she was using, i was wondering how do i give her, her own apple id so that she can keep all her apps and then i can two seperate accounts ?
You cannot transfer the purchases to another account. What she has purchased with your account will always be tied to your ID. That's the way that it works. You can have her create her own Apple ID to use with Cloud account, FaceTime and Messages.
But if you create a new ID for her, she will have to flip flop between the two Apple ID's in order to update apps, and if she wants to make purchases with her own ID, you also have to consider the fact that she may run the risk of locking herself out of her own ID by downloading a past purchase using your ID, after she starts buying with her own ID.
Read this about associated devices in iTunes.
http://support.apple.com/kb/HT4627 -
my daughter and i share the same i tunes account but want to have our own now. how can i set up a new account just for me and still move or transfer my existing apps, contacts etc?
Yes, with the credentials of the account that the media/content was purchased with.
Content is permanently tied to the account it is purchased with and cannot be merged, moved, or transferred to another account. -
How do I set up mutiple icloud accounts using my Apple ID but giving my children (and their ipod touches) their own icloud e-mail, so we do not share contacts photos etc
Welcome to the Apple Community.
Create an iCloud account for each of them. -
I have family plan of 5 iphones and all them have the same apple id, the q. is how I can set each one with their own apple id? please advise...
See How to Stop Sharing an Apple ID.
(Note that I am affiliated with that site, and some pages contain ads). -
Can two users of the same iMac have their own "space" and how is this set up?
My wife and I will share the same new iMac. Can we each have our own "space" complete with personal background preferences, tools, etc.? How would I set this up?
As PrDm indicated, you can indeed each have your own user account in Mac OS X. But you do not have to log out for the other person to use their own account in Mac OS X. You can use Fast User Switching:
http://docs.info.apple.com/article.html?path=Mac/10.6/en/8672.html
That makes it a lot easier to share a single computer.
Regards. -
When I got my Ipod Touch 3 years ago, my mum set up an Apple ID in her name & email address. I have since got an Ipad & set up my own Apple ID. How can I update my Ipod to my Apple ID? I would like to sync the Ipad and Ipod, but cant get past this ID problem?
Hi AnnieAnneok,
Welcome to the Support Communities!
The articles below may be able to help you with this.
Click on the links to see more details and screenshots.
First, I would suggest you backup your iPod touch and transfer purchases to your computer:
iOS: How to back up and restore your content
http://support.apple.com/kb/HT1766
Confirm your Apple ID is set up and updated with the correct information:
Frequently asked questions about Apple ID
http://support.apple.com/kb/HT5622
Then, in Settings on your iPod touch, sign out of your iCloud Account and your iTunes Store account and sign back in with the correct Apple ID.
Using your Apple ID for Apple services
http://support.apple.com/kb/HT4895
Cheers,
Judy -
How do I remove an unwanted toolbar? I added a radio station to my ibook and it set up its own toolbar so when I go to Safari I have to use it. It involves using Bing for everything as well. It's very annoying and I want to remove it. I can't just type in a URL and have it go to the site. It takes me to all of Bing's choices. Also, when it anticipates what I'm typing (incorrectly) and I have to delete it's guesses all the time. Can anyone help?
Have you looked at Safari's menu bar > view> toolbars to see if it can be unchecked from there,also see if there is a button to collapse the toolbar on the bar itself.
Maybe you are looking for
-
Any help with this would be appreciated
-
How do you delete stuff and get your money back too?
Does anybody know how to get your money back on your appleID account if you delete any music or apps or movies that i bought with a iTunes gift card that i bought with money on the card?? like how can i get it back on my account once i delete stuff
-
Liquify brush size increment sluggish with CS3, Intuos 3/window 7
Hi I have encountered a strange problem with liquify filter using Intuos 3 tablet pen after installing CS3 on my new Window 7 machine. I always assign the shortcut keystrokes [ and ] to the pen buttons for increaseing/decreaseing the brush size.
-
Acrobat X Standard header and footer not working
We have just purchased 18 Fujitsu scansnap scanners. Each unit comes with Acrobat X Standard on a disc. I have installed my program disc twice now trying to fix the issue I am having. Currently I have the option to add a header/footer and when I choo
-
How to Transfer Colletions from Bridge CS5 to Bridge CS6?
How to Transfer collections from Bridge in CS5 to CS6? I tried to copy my collections to the new Bridge but for some reason I do not see an option. I tried putting on Keywords on my collections so that I can pull them up again but for some reason i