Back to Contents

Certificates in Practice

Topics

• OpenSSL tool

• Creating a Root Certificate Authority

• Creating a Certificate Authority

• Creating a Certificate

• Creating a Certificate Authority list

• Importing a certificate and its private key into the Windows key store

• Importing a certificate authority into the Windows key store

OpenSSL tool

The openssl command line tool creates certificates for the configuration of secured communications. It requires a configuration file with the default parameters such as the key size or the private key name. OpenSSL is provided with a default configuration file called openssl.cnf.

Note: openssl looks for the openssl.cnf file in the directory where it is executed; it stops if the file is not present. To use the openssl tool from any directory, set the OPENSSL_CONF environment variable to specify the location of the configuration file.

For information on how the openssl tool works, refer to the openssl documentation at http://www.openssl.org/docs/apps/openssl.html.

Back to the top

Creating a Root Certificate Authority

• Create a CSR (Certificate Signing Request):
  $ openssl req -new -out MyRootCA.csr

  Note: This creates a privkey.pem file containing the RSA private key of that certificate and protected by a password.
  
  
• Remove the password of the private key (Optional):
  $ openssl rsa -in privkey.pem -out MyRootCA.pem

  Note: Removing the password of a certificate authority's private key is not recommended.
  
  
• Create a self-signed certificate from the Certificate Signing Request for a validity period of 365 days:
  $ openssl x509 -trustout -in MyRootCA.csr -out MyRootCA.crt -req -signkey MyRootCA.pem -days 365

  Notes:
  If you want an official Root Certificate Authority, you must send the CSR file to one of the self-established Certificate Authority companies on the Internet (instead of creating it with openssl).
  Creation of a X509 certificate requires a serial number provided in OpenSSL configuration file;  if not set, you must specify it with option -set_serial.
  

Back to the top 

Creating a Certificate Authority

• Create a CSR (Certificate Signing Request):
  $ openssl req -new -out MyCA.csr

  Note: This creates a privkey.pem file containing to the RSA private key of that certificate and protected by a password.
  
  
• Remove the private key password (Optional):
  $ openssl rsa -in privkey.pem -out MyCA.pem

  Note: Removing the password of a certificate authority's private key is not recommended.
  
  
• Create a certificate from the Certificate Signing Request and trusted by the Root Certificate Authority:
  $ openssl x509 -in MyCA.csr -out MyCA.crt -req -signkey MyCA.pem -CA MyRootCA.crt -CAkey MyRootCA.pem

  Notes:
  If you want an official Certificate Authority, you must send the CSR file to one of the self-established Certificate Authority companies on the Internet (instead of creating it with openssl).
  Creation of a X509 certificate requires a serial number provided in OpenSSL configuration file; if not set, you must specify it with the following option:  -set_serial.
  

Back to the top 

Creating a Certificate

• Create a CSR (Certificate Signing Request):
  $ openssl req -new -out MyCert.csr

  Note: This command creates a privkey.pem file containing the RSA private key of that certificate and protected by a password.
  
  
• Remove the private key password (Optional):
  $ openssl rsa -in privkey.pem -out MyCert.pem
  
  
• Create a certificate from the Certificate Signing Request and trusted by the Certificate Authority:
  $ openssl x509 -in MyCert.csr -out MyCert.crt -req -signkey MyCert.pem -CA MyCA.crt -CAkey MyCA.pem

  Notes:
  If you want an official Certificate, you must send the CSR file to one of the self-established Certificate Authority companies on the Internet (instead of creating it with openssl).
  Creation of a X509 certificate requires a serial number provided in OpenSSL configuration file, but if not set, you must specify it with option -set_serial.
  

Back to the top 

Creating a Certificate Authority list

• Concatenate all certificate authorities by order of importance, listing the most important first:
  $ openssl x509 -in MyCA1.crt -text >> CAList.pem
$ openssl x509 -in MyCA2.crt -text >> CAList.pem
$ openssl x509 -in MyCA3.crt -text >> CAList.pem
  

Back to the top 

Importing a certificate and its private key into the Windows key store

• Create a certificate as described above.
  
  
• Create a specific PKCS12 file containing the certificate and its private key in one file:
  $ openssl pkcs12 -export -inkey MyCert.pem -in MyCert.crt -out MyCert.p12

  Note: The .p12 generated file is protected by a password and can then be transported without any risk.
  
  
• On a Windows system, open this .p12 file and follow the instructions provided.
  
  Note: If you select strong verification during the importation process, a pop-up displays each time an application accesses the private key asking the user whether the application is allowed to use it.
  

Back to the top

Importing a certificate authority into the Windows key store

• Create a certificate authority as described above.
  
  
• Open the .crt certificate file
  
  
• Click Install Certificate and follow the instructions provided.
  
  Note: Windows automatically places the certificate in the certificate authority list of the key store.
  

Back to the top