Creating private keys and certificates
About this task
The following steps explain how to create one key and one certificate. You can decide whether to use one key and certificate pair for the entire network, one for each domain, or one for each workstation. The steps below assume that you will be creating a key and certificate pair for each workstation and thus the name of the output files created during the process has been generalized to workstationname.
On each workstation, perform the
following steps to create a private key and a certificate:
- Enter the following command from the SSL directory to initialize
the pseudo random number generator, otherwise subsequent commands
could not work.
- On Windows™ operating
systems:
$ openssl rand -out workstationname.rnd -rand ./openssl.exe 8192 - On UNIX™ and Linux™ operating systems :
$ openssl rand -out workstationname.rnd -rand ./openssl 8192
- On Windows™ operating
systems:
- Enter the following command to create the private key (this example
shows triple-DES encryption):
$ openssl genrsa -des3 -out workstationname.key 2048Then, save the password that was requested to encrypt the key in a file named workstationname.pwd.Note: Verify that file workstationname.pwd contains just the characters in the password. For instance, if you specified the word maestro as the password, your workstationname.pwd file should not contain any CR or LF characters at the end (it should be 7 bytes long). - Enter the following command to save your password, encoding it
in base64 into the appropriate stash file:
$ openssl base64 -in workstationname.pwd -out workstationname.sthYou can then delete file workstationname.pwd.
- Enter the following command to create a certificate signing request
(CSR):
$ openssl req -new -key workstationname.key -out workstationname.csr -config ./openssl.cnfSome values-such as company name, personal name, and more- will be requested at screen. For future compatibility, you can specify the workstation name as the distinguished name.
- Send the workstationname.csr file to your CA in order to
get the matching certificate for this private key. Using its private key (TWSca.key) and certificate (TWSca.crt), the CA will sign the CSR (workstationname.csr) and create a signed certificate (workstationname.crt) with the following command:
$ openssl x509 -req -CA TWSca.crt -CAkey TWSca.key -days 365 -in workstationname.csr -out workstationname.crt -CAcreateserial - Distribute to the workstation the new certificate workstationname.crt and the public CA certificate TWSca.crt.
Files for local options summarizes which of the files created during the
process have to be set as values for the workstation's local options.
| Local option | File |
|---|---|
| SSL key | workstationname.key |
| SSL certificate | workstationname.crt |
| SSL key pwd | workstationname.sth |
| SSL ca certificate | TWSca.crt |
| SSL random seed | workstationname.rnd |