https://wiki.umiacs.umd.edu/adapt/index.php?action=history&feed=atom&title=Tutorials%3ACreateCertAuthTutorials:CreateCertAuth - Revision history2026-04-05T16:55:25ZRevision history for this page on the wikiMediaWiki 1.43.7https://wiki.umiacs.umd.edu/adapt/index.php?title=Tutorials:CreateCertAuth&diff=1967&oldid=prevScsong at 23:15, 11 September 20082008-09-11T23:15:31Z<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 23:15, 11 September 2008</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l1">Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">__NOTOC__</ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Setting up CA and certificates==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Setting up CA and certificates==</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br></td></tr>
</table>Scsonghttps://wiki.umiacs.umd.edu/adapt/index.php?title=Tutorials:CreateCertAuth&diff=1966&oldid=prevScsong at 23:14, 11 September 20082008-09-11T23:14:59Z<p></p>
<p><b>New page</b></p><div>==Setting up CA and certificates==<br />
<br />
<br />
===Create CA Directories===<br />
<br />
This example assumes ~/ssl will contain all certificates and private keys. You should probably delete client keys after creation and<br />
distribution of the pkcs12 keystore. If you want to create new clients, just go to the creating client section down below. If you need a keystore w/ additional certificates in it. You should create your own pem files w/ all required certs.<br />
<br />
The CA below has been copied into naraapp:~naraapp/ssl , w/ the cacart using the same password as the account. Client and producer keystores are also in the directory w/ passwords client and producer respectively.<br />
<br />
<br />
<pre><br />
[toaster@loach ~/ssl]$ mkdir ssl<br />
[toaster@loach ~/ssl]$ cd ssl<br />
[toaster@loach ~/ssl]$ touch index.txt<br />
[toaster@loach ~/ssl]$ echo 100001 > serial<br />
</pre><br />
<br />
Download the openssl.cnf listed below and put it in this directory<br />
<br />
===Create CA Certificate===<br />
<br />
<pre><br />
[toaster@loach ~/ssl]$ openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf <br />
Generating a 1024 bit RSA private key<br />
....................................++++++<br />
...........++++++<br />
writing new private key to 'private/cakey.pem'<br />
Enter PEM pass phrase:<br />
Verifying - Enter PEM pass phrase:<br />
-----<br />
You are about to be asked to enter information that will be incorporated<br />
into your certificate request.<br />
What you are about to enter is what is called a Distinguished Name or a DN.<br />
There are quite a few fields but you can leave some blank<br />
For some fields there will be a default value,<br />
If you enter '.', the field will be left blank.<br />
-----<br />
Country Name (2 letter code) [US]:<br />
State or Province Name (full name) [Maryland]:<br />
Locality Name (eg, city) [College Park]:<br />
Organization Name (eg, company) [UMIACS]:<br />
Organizational Unit Name (eg, section) []:ADAPT CA<br />
Common Name (eg, your name or your server's hostname) []:Adapt Project CA<br />
Email Address []:toaster@umiacs.umd.edu<br />
</pre><br />
<br />
===Create Producer keystore===<br />
<br />
Generate producer pub/priv key<br />
<br />
<pre><br />
[toaster@loach ~/ssl]$ openssl req -new -nodes -out producer-req.pem -keyout private/producer-key.pem -days 365 -config ./openssl.cnf<br />
Generating a 1024 bit RSA private key<br />
.....................................++++++<br />
.........................++++++<br />
writing new private key to 'private/producer-key.pem'<br />
-----<br />
You are about to be asked to enter information that will be incorporated<br />
into your certificate request.<br />
What you are about to enter is what is called a Distinguished Name or a DN.<br />
There are quite a few fields but you can leave some blank<br />
For some fields there will be a default value,<br />
If you enter '.', the field will be left blank.<br />
-----<br />
Country Name (2 letter code) [US]:<br />
State or Province Name (full name) [Maryland]:<br />
Locality Name (eg, city) [College Park]:<br />
Organization Name (eg, company) [UMIACS]:<br />
Organizational Unit Name (eg, section) []:PAWN Producer<br />
Common Name (eg, your name or your server's hostname) []:Pawn Producer<br />
Email Address []:toaster@umiacs.umd.edu<br />
<br />
Please enter the following 'extra' attributes<br />
to be sent with your certificate request<br />
A challenge password []:<br />
An optional company name []:<br />
</pre><br />
<br />
Now it's time to sign the certificate<br />
<br />
<pre><br />
[toaster@loach ~/ssl]$ openssl ca -out producer-cert.pem -days 365 -config ./openssl.cnf -infiles producer-req.pem<br />
Using configuration from ./openssl.cnf<br />
Enter pass phrase for ./private/cakey.pem:<br />
Check that the request matches the signature<br />
Signature ok<br />
Certificate Details:<br />
Serial Number: 1048577 (0x100001)<br />
Validity<br />
Not Before: Jul 21 21:19:32 2005 GMT<br />
Not After : Jul 21 21:19:32 2006 GMT<br />
Subject:<br />
countryName = US<br />
stateOrProvinceName = Maryland<br />
organizationName = UMIACS<br />
organizationalUnitName = PAWN Producer<br />
commonName = Pawn Producer<br />
emailAddress = toaster@umiacs.umd.edu<br />
X509v3 extensions:<br />
X509v3 Basic Constraints: <br />
CA:FALSE<br />
Netscape Comment: <br />
OpenSSL Generated Certificate<br />
X509v3 Subject Key Identifier: <br />
7A:20:C4:91:8A:67:F4:21:A5:8F:8D:B8:92:BE:02:61:34:4F:02:02<br />
X509v3 Authority Key Identifier: <br />
keyid:1B:99:B9:92:09:0E:37:68:36:1B:67:7C:4D:27:3F:39:2B:79:84:95<br />
DirName:/C=US/ST=Maryland/L=College Park/O=UMIACS/OU=ADAPT CA/CN=Ada<br />
pt Project CA/emailAddress=toaster@umiacs.umd.edu<br />
serial:00<br />
<br />
Certificate is to be certified until Jul 21 21:19:32 2006 GMT (365 days)<br />
Sign the certificate? [y/n]:y<br />
<br />
<br />
1 out of 1 certificate requests certified, commit? [y/n]y<br />
Write out database with 1 new entries<br />
Data Base Updated<br />
</pre><br />
<br />
Create the producer's keystore. Due to java's requirements that all items in a keystore have names (trusted certs...) We label the CA certificate cacert, and the producer's certificate producer. You can change this on the server if you want to use other alias names. <br />
<br />
<pre><br />
[toaster@loach ~/ssl]$ openssl pkcs12 -export -in producer-cert.pem -inkey private/producer-key.pem \ <br />
-certfile cacert.pem -caname cacert -name "producer" -out producer.p12<br />
<br />
Enter Export Password:<br />
Verifying - Enter Export Password:<br />
</pre><br />
<br />
Next, we create a cert file that has both the ca and producer certificates. This is used when generating client keystores<br />
<br />
<pre><br />
[toaster@loach ~/ssl]$ cp cacert.pem ca-producer.pem<br />
[toaster@loach ~/ssl]$ cat newcerts/producer.pem >> ca-producer.pem<br />
</pre><br />
<br />
===Create Client keystores===<br />
<br />
Client keystore's are almost identical, except they contain an extra certificate for the producer they are connected to. This allows the client to verify the authenticity of generated SAML certificated to prevent man-in-the-middle attacks.<br />
<br />
<pre><br />
[toaster@loach ~/ssl]$ openssl req -new -nodes -out client-req.pem -keyout private/client-key.pem -days 365 -config ./openssl.cnf<br />
Generating a 1024 bit RSA private key<br />
......................++++++<br />
..................++++++<br />
writing new private key to 'private/client-key.pem'<br />
-----<br />
You are about to be asked to enter information that will be incorporated<br />
into your certificate request.<br />
What you are about to enter is what is called a Distinguished Name or a DN.<br />
There are quite a few fields but you can leave some blank<br />
For some fields there will be a default value,<br />
If you enter '.', the field will be left blank.<br />
-----<br />
Country Name (2 letter code) [US]:<br />
State or Province Name (full name) [Maryland]:<br />
Locality Name (eg, city) [College Park]:<br />
Organization Name (eg, company) [UMIACS]:<br />
Organizational Unit Name (eg, section) []:PAWN Client<br />
Common Name (eg, your name or your server's hostname) []:Pawn Client<br />
Email Address []:toaster@umiacs.umd.edu<br />
<br />
Please enter the following 'extra' attributes<br />
to be sent with your certificate request<br />
A challenge password []:<br />
An optional company name []:<br />
</pre><br />
<br />
Now sign it.<br />
<br />
<pre><br />
[toaster@loach ~/ssl]$ openssl ca -out client-cert.pem -days 365 -config ./openssl.cnf -infiles client-req.pem<br />
Using configuration from ./openssl.cnf<br />
Enter pass phrase for ./private/cakey.pem:<br />
Check that the request matches the signature<br />
Signature ok<br />
Certificate Details:<br />
Serial Number: 1048578 (0x100002)<br />
Validity<br />
Not Before: Jul 21 21:25:50 2005 GMT<br />
Not After : Jul 21 21:25:50 2006 GMT<br />
Subject:<br />
countryName = US<br />
stateOrProvinceName = Maryland<br />
organizationName = UMIACS<br />
organizationalUnitName = PAWN Client<br />
commonName = Pawn Client<br />
emailAddress = toaster@umiacs.umd.edu<br />
X509v3 extensions:<br />
X509v3 Basic Constraints: <br />
CA:FALSE<br />
Netscape Comment: <br />
OpenSSL Generated Certificate<br />
X509v3 Subject Key Identifier: <br />
6C:10:B8:0D:08:72:63:15:29:69:B9:2F:9C:CB:C2:50:DF:C4:F7:D0<br />
X509v3 Authority Key Identifier: <br />
keyid:1B:99:B9:92:09:0E:37:68:36:1B:67:7C:4D:27:3F:39:2B:79:84:95<br />
DirName:/C=US/ST=Maryland/L=College Park/O=UMIACS/OU=ADAPT CA/CN=Adapt Project CA/emailAddress=toaster@umiacs.umd.edu<br />
serial:00<br />
<br />
Certificate is to be certified until Jul 21 21:25:50 2006 GMT (365 days)<br />
Sign the certificate? [y/n]:y<br />
<br />
<br />
1 out of 1 certificate requests certified, commit? [y/n]y<br />
Write out database with 1 new entries<br />
Data Base Updated<br />
</pre><br />
<br />
Build the keystore w/ ca and producer's certs in addition to local keys<br />
<br />
<pre><br />
[toaster@loach ~/ssl]$ openssl pkcs12 -export -in client-cert.pem -inkey private/client-key.pem -certfile ca-producer.pem \<br />
-caname cacert -caname producer -name "client" -out client.p12<br />
<br />
Enter Export Password:<br />
Verifying - Enter Export Password:<br />
</pre><br />
<br />
-- Main.MikeSmorul - 21 Jul 2005</div>Scsong