The openssl command line tool creates certificates for the configuration of secured communications. It requires a configuration file with the default parameters such as the key size or the private key name. OpenSSL is provided with a default configuration file called openssl.cnf.
Note: openssl looks for the openssl.cnf file in the directory where it is executed; it stops if
the file is not present. To use the openssl tool from any directory, set the OPENSSL_CONF environment variable to
specify the location of the configuration file.
For information on how the openssl tool works, refer to the openssl documentation at
http://www.openssl.org/docs/apps/openssl.html.
Create the root certificate authority serial file:
$ echo 01 > MyRootCA.srl
Create a CSR (Certificate Signing Request):
$ openssl req -new -out MyRootCA.csr
Note: This creates a privkey.pem file containing the RSA private key of that certificate and protected by a password.
Remove the password of the private key (Optional):
$ openssl rsa -in privkey.pem -out MyRootCA.pem
Note: Removing the password of a certificate authority's private key is not recommended.
Create a self-signed certificate from the Certificate Signing Request for a validity period of 365 days:
$ openssl x509 -trustout -in MyRootCA.csr -out MyRootCA.crt -req -signkey MyRootCA.pem -days 365
Note: If you want an official Root Certificate Authority, you must send the CSR file to one of the self-established Certificate Authority companies on the Internet (instead of creating it with openssl).
Create a CSR (certificate signing request):
$ openssl req -new -out MyCA.csr
Note: This creates a privkey.pem file containing to the RSA private key of that certificate and protected by a password.
Remove the private key password (Optional):
$ openssl rsa -in privkey.pem -out MyCA.pem
Note: Removing the password of a certificate authority's private key is not recommended.
Create a certificate from the Certificate Signing Request and trusted by the Root Certificate Authority:
$ openssl x509 -in MyCA.csr -out MyCA.crt -req -signkey MyCA.pem -CA MyRootCA.crt -CAkey MyRootCA.pem -days 365
Note: If you want an official Certificate Authority, you must send the CSR file to one of the self-established Certificate Authority companies on the Internet (instead of creating it with openssl).
Create the certificate serial file:
$ echo 01 > MyCA.srl
Create a CSR (Certificate Signing Request):
$ openssl req -new -out MyCert.csr
Note: This command creates a privkey.pem file containing the RSA private key of that certificate and protected by a password.
Remove the private key password (Optional):
$ openssl rsa -in privkey.pem -out MyCert.pem
Create a certificate from the Certificate Signing Request and trusted by the Certificate Authority:
$ openssl x509 -in MyCert.csr -out MyCert.crt -req -signkey MyCert.pem -CA MyCA.crt -CAkey MyCA.pem -days 365
Note: If you want an official Certificate, you must send the CSR file to one of the self-established Certificate Authority companies on the Internet (instead of creating it with openssl).
Concatenate all certificate authorities by order of importance, listing the most important first:
$ openssl x509 -in MyCA1.crt -text >> CAList.pem $ openssl x509 -in MyCA2.crt -text >> CAList.pem $ openssl x509 -in MyCA3.crt -text >> CAList.pem
Create a certificate. See Create a certificate.
Create a specific PKCS12 file containing the certificate and its private key in one file:
$ openssl pkcs12 -export -inkey MyCert.pem -in MyCert.crt -out MyCert.p12
Note: The .p12 generated file is protected by a password and can then be transported without any risk.
On a Windows system, open this .p12 file and follow the instructions provided.
Note: If you select strong verification during the importation process, a pop-up displays each time an application accesses the private key asking the user whether the application is allowed to use it.
Create a certificate authority. See Create a certificate Authority.
Open the .crt certificate file
Click Install Certificate and follow the instructions provided.
Note: Windows automatically places the certificate in the certificate authority list of the key store.
To view a certificate, enter the x509 command:
openssl x509 -in MyCompanyCA.crt -noout -text