Valitse organisaatio
How to Create a Self-Signed CA, Certificate, and CRL Revocation List for the DLB
Julkaisupäivä: Mar 2, 2024
Vaiheet
CONTENTS
You are using the DLB. Here is how to create a self-signed CA, certificate and CRL revocation list for the DLB.STEPS TO FOLLOW
1) Please run the following command to generate CA key:openssl genrsa -out ca.key 40962) Run the following to create self-signed root CA:
Ensure all fields are filled out and "Common Name" is different from your certificate (to be generated later).
openssl req -new -x509 -days 1826 -key ca.key -out ca.crt3) Create private key for your certificate:
openssl genrsa -out cert.key 40964) Make a certificate request:
openssl req -new -key cert.key -out cert.csr5) Run the following:
touch certindex echo 01 > certserial echo 01 > crlnumber
6) Create a file called ca.conf and paste the following. Replace "test.com" with your desired certificate Common Name:
[ ca ] default_ca = myca [ crl_ext ] # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always [ myca ] dir = ./ new_certs_dir = $dir unique_subject = no certificate = $dir/ca.crt database = $dir/certindex private_key = $dir/ca.key serial = $dir/certserial default_days = 729 default_md = sha1 policy = myca_policy x509_extensions = myca_extensions crlnumber = $dir/crlnumber default_crl_days = 729 [ myca_policy ] commonName = supplied stateOrProvinceName = supplied countryName = optional emailAddress = optional organizationName = supplied organizationalUnitName = optional [ myca_extensions ] basicConstraints = CA:false subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always keyUsage = digitalSignature,keyEncipherment extendedKeyUsage = serverAuth crlDistributionPoints = URI:http://test.com/root.crl subjectAltName = @alt_names [alt_names] DNS.1 = test.com DNS.2 = *.test.com
7) Sign your request:
openssl ca -batch -config ca.conf -notext -in cert.csr -out cert.crt
8) Export to a PKCS12 format:
openssl pkcs12 -export -out cert.p12 -inkey cert.key -in cert.crt -chain -CAfile ca.crt
9) Create the CRL file:
openssl ca -config ca.conf -gencrl -keyfile ca.key -cert ca.crt -out rt.crl.pem openssl crl -inform PEM -in rt.crl.pem -outform DER -out root.crl rm rt.crl.pem
10) Convert the CRL file to PEM format:
openssl crl -in root.crl -inform DER -out crl.pem
11) Create a new DLB: link
Ensure that you have the following files selected for certificate (You can choose mandatory or optional for client certificate validation)
Knowledge-artikkelin numero
001115414
Ratkaisiko tämä artikkeli ongelmasi?
Anna palautetta, jotta voimme kehittyä!
