Join Sean Colins for an in-depth discussion in this video Generating a server certificate, part of Understanding Secure Sockets Layer.
- View Offline
- I will now show you how to enter the OpenSSL set of commands necessary to create your certificate authority. Couple of housekeeping things before we get started with this movie. In the last movie, I issued the sudo -s command in order to go into a root session and I want you to do the same thing, you should be looking at an interface that looks a lot like mine if you're on OS 10 if you are in a variant of UNIX or Windows, it should look like whatever you as the "God" user on your system. The other thing I want to mention is that you should be cded or changed directory directly into the certificates directory that you had set up in the previous movie, so mine was named groundswell so I'm going to go into that because the commands that we're going to be issuing will be placing things into the folder structure we created within that directory and if you're not in there, then the commands that we'll be issuing won't be able to find where they're putting stuff.
Quite simple, I'm going to just paste in here something that I have typed previously and I'm going to make a couple of minor additions here. So here we are in the openssl command and the openssl command is going to be modified by the request verb, so what we have here is openssl is requesting a new x509 certificate with a new rsa key of a 2048 bit length with a keyout to the private directory inside of the groundswell folder that's there, that's why we have to go in there.
Right, makes sense, do not rename cakey.pem that needs to be that in order for the rest of our commands to work and that's going to go out to a cacert.pem and that is going to be valid for 3650 days which if you're counting is 10 years. That's a pretty common thing you're gonna find out there but it's a long time for a certificate authority to be valid and keep in mind that your rsa key length here has to do with password strength and computing power will increase over time, you may wanna make this number larger than it is in my example, it's entirely up to you however.
When you've got numbers that you like and you think you've got your information typed correctly simply hit the return key and you will see that it will generate your RSA private key it will write out to the private key in that private directory as we told it to and it will give it the name that we told it to have. It will then ask you for a pass phrase which you can type in and it will ask you to verify it which you will type in again and then it will ask you to start entering information about what country, etcetera. I'd like to point out that the US is here because we changed that configuration file in the last movie, so I wanted to show you that's evidenced right there.
We will put in US, we will type out the name of our state because that is the standard as is being told to us right here and hit return, we will put in our locality, that's just where you're from, that's the city you're in, so that's Los Angeles in my case and the Organization Name I'm going to type Groundswell and the organizational unit, that's usually IT and the common name, so it's important to use the fully qualified domain name of your server if you have a DNS enabled environment. I usually like to recommend that even if people are not using DNS in their environment that they just stick with the standard of using an FQDN, so in my case that's going to be certs.groundswell.com And an email address which is optional and there are some notes on various versions of UNIX that this in some cases causes a bug, so you may not want to enter this, it is optional, so it's not necessary, I'm going to skip it.
And so when you hit return at that field, you end up at the command line prompt and you're done with this part of the process, your CA is present and created. In the next movie, we'll move on to the next step in this process.
- SSL communications
- Certificate authorities
- Public key infrastructures
- Symmetric and asymmetric key pairs
- Cryptographic hash functions
- Encryption algorithms
Start now, and by the end of this course you'll have the knowledge to create SSL certificates, as well as revoke and renew them, from the command line.