Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Wi-Fi Router Charts

Click for Wi-Fi Router Charts

Mesh System Charts

Click for Wi-Fi Mesh System Charts

Respect My (Certificate) Authority!

Now that we've got our environment set up, it's time to create the CA and issue some keys. Since OpenSSL is so complex, it works a little bit differently than the usual *NIX commands. Most notably, it has a handful of sub-commands (the first argument) that handle the details. \

To create a new key pair, first we create a "certificate request" (sub-command "req"). The certificate request is then sent off to be signed by the CA and becomes a bonafide public key. Creating the CA key pair starts off the same way we'd create a regular key pair, using the command below.

For most of the responses, you just hit the Enter key to accept the defaults we set up in the config file. Make sure to use a strong password for the CA key; it's the only thing standing between the hacker and your CA key if it's ever compromised.

~/CA $ openssl req -new -keyout private/cakey.pem -out careq.pem \
-config ./openssl.cnf
Generating a 2048 bit RSA private key
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase: pA55w0rD
Verifying - Enter PEM pass phrase: pA55w0rD
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [US]:
State or Province Name (full name) [The Great State You Live In]:
Locality Name (eg, city) [My Town USA]:
Organization Name (eg, company) [SmallNetBuilder]:
Organizational Unit Name (eg, section) [Security Division]:
Common Name (eg, YOUR name) []:CA
Email Address []

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Next, we need to "self-sign" the certificate to turn it into a CA.

~/CA $ openssl ca -create_serial -out cacert.pem -keyfile private/cakey.pem \
-selfsign -extensions v3_ca -config ./openssl.cnf -in careq.pem
Using configuration from ./openssl.cnf
Enter pass phrase for private/cakey.pem: pA55w0rD
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            Not Before: Oct 24 03:17:49 2007 GMT
            Not After : Oct 23 03:17:49 2008 GMT
            countryName               = US
            stateOrProvinceName       = The Great State You Live In
            organizationName          = SmallNetBuilder
            organizationalUnitName    = Security Division
            commonName                = CA
            emailAddress              =
        X509v3 extensions:
            X509v3 Subject Key Identifier:
            X509v3 Authority Key Identifier:
                DirName:/C=US/ST=The Great State You Live In/O ...

            X509v3 Basic Constraints:
Certificate is to be certified until Oct 23 03:17:49 2008 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

(Note that the DirName: line above was truncated [...] because it was too wide for most browser screens!)

In the command above, "-create_serial" (new in recent versions of OpenSSL) creates a hex serial number for this key. "-extensions" specifies the section of the openssl.cnf config file to look in for specific extensions to append to the newly created certificate (public key). In this case, we're using the v3_ca section which, among other things, contains this setting on line 234:

basicConstraints = CA:true

This allows the key to be used to sign other keys, acting as the CA.

The last step is to create a copy of the CA certificate encoded in the DER format, because Windows likes only binary encoded certificates.

~/CA $ openssl x509 -inform PEM -outform DER -in cacert.pem -out cacert.der

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Don't Miss These

  • 1
  • 2