Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Router Charts

Click for Router Charts

Router Ranker

Click for Router Ranker

NAS Charts

Click for NAS Charts

NAS Ranker

Click for NAS Ranker

More Tools

Click for More Tools

Wireless How To

Respect My (Certificate) Authority!

Now that we've got our environment set up, it's time to create the CA and issue some keys. Since OpenSSL is so complex, it works a little bit differently than the usual *NIX commands. Most notably, it has a handful of sub-commands (the first argument) that handle the details. \

To create a new key pair, first we create a "certificate request" (sub-command "req"). The certificate request is then sent off to be signed by the CA and becomes a bonafide public key. Creating the CA key pair starts off the same way we'd create a regular key pair, using the command below.

For most of the responses, you just hit the Enter key to accept the defaults we set up in the config file. Make sure to use a strong password for the CA key; it's the only thing standing between the hacker and your CA key if it's ever compromised.

~/CA $ openssl req -new -keyout private/cakey.pem -out careq.pem \
-config ./openssl.cnf
Generating a 2048 bit RSA private key
..........................................+++
...+++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase: pA55w0rD
Verifying - Enter PEM pass phrase: pA55w0rD
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [The Great State You Live In]:
Locality Name (eg, city) [My Town USA]:
Organization Name (eg, company) [SmallNetBuilder]:
Organizational Unit Name (eg, section) [Security Division]:
Common Name (eg, YOUR name) []:CA
Email Address []:you@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Next, we need to "self-sign" the certificate to turn it into a CA.

~/CA $ openssl ca -create_serial -out cacert.pem -keyfile private/cakey.pem \
-selfsign -extensions v3_ca -config ./openssl.cnf -in careq.pem
Using configuration from ./openssl.cnf
Enter pass phrase for private/cakey.pem: pA55w0rD
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            f2:c8:4a:d0:f5:09:28:b7
        Validity
            Not Before: Oct 24 03:17:49 2007 GMT
            Not After : Oct 23 03:17:49 2008 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = The Great State You Live In
            organizationName          = SmallNetBuilder
            organizationalUnitName    = Security Division
            commonName                = CA
            emailAddress              = you@example.com
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                D0:1E:BF:7B:A8:26:B9:98:B0:81:98:2E:E7:96:CA:57:3D:76:F3:02
            X509v3 Authority Key Identifier:
                keyid:D0:1E:BF:7B:A8:26:B9:98:B0:81:98:2E:E7:96:CA:57:3D:76:F3:02
                DirName:/C=US/ST=The Great State You Live In/O ...
                serial:F2:C8:4A:D0:F5:09:28:B7

            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Oct 23 03:17:49 2008 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

(Note that the DirName: line above was truncated [...] because it was too wide for most browser screens!)

In the command above, "-create_serial" (new in recent versions of OpenSSL) creates a hex serial number for this key. "-extensions" specifies the section of the openssl.cnf config file to look in for specific extensions to append to the newly created certificate (public key). In this case, we're using the v3_ca section which, among other things, contains this setting on line 234:

basicConstraints = CA:true

This allows the key to be used to sign other keys, acting as the CA.

The last step is to create a copy of the CA certificate encoded in the DER format, because Windows likes only binary encoded certificates.

~/CA $ openssl x509 -inform PEM -outform DER -in cacert.pem -out cacert.der

More Wireless

Wi-Fi System Tools
Check out our Wi-Fi System Charts, Ranker and Finder!

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Over In The Forums

The ZenWifi XT8 is the newest kid on the block, while the RT-AX86U has the heritage of the ASUS workhorses; AC68U and AC86U. Which would be the better...
WelcomeThis is Diversion - the Router Ad-Blocker for Asuswrt-Merlin All install and update infos are on the Diversion website.May 04 2020Diversion 4....
Anyone having issues with slow/throttled upload speeds when running into the LAN base? I see a few posts with questionable upload speeds using wifi, b...
hello guysim curious about enabling ipv6 on my router since my isp recently started offering it.I connect to my isp with a technicolor cablemodem on b...
v2.5.1 Updated 2020-05-10 Run an NTP server for your network. Graphs available for NTP accuracy on the Addons page of the WebUI.Inspired by kvic's p...

Don't Miss These

  • 1
  • 2
  • 3