Join Sean Colins for an in-depth discussion in this video Installing your certificate on a client system, part of Understanding Secure Sockets Layer.
- In the last step we created our certificate authority. In this step we're going to create the certificate and the certificate signing request. Okay, so let's type out that request and then I'm going to talk you through what it means. Okay, so here is our code. So openssl is being used to request new nodes, a new key in fact, on our SA key of 1024 bits. It's keying out to the private directory in our 'where everything is located' directory.
The groundswell, and you can name that whatever you want, .key, don't change the extension. Then it's sending that out to a request for groundswell.req. That's the certificate signing request, so this is two different things. It's creating the certificate and the certificate signing request and then the days that this will be valid will be 1095, which equals three years. Again, you can change that number as well. You could also change the RSA key length of 1024 to a longer key length if you wanted to increase security, but add a time penalty in calculation of the encryption.
So that being said, let's issue. You see the RSA private key was even faster because it was a shorter key length, which is great and it gives you some pretty good instructions here. You're about to be asked to enter information that will be incorporated into your certificate request. The distinguished name is something you need to be careful about here. We want to be sure that we put in information that is going to be valid in here for the server on which we're going to install the certificate. So because this is the certificate for the server and it's incorporating a certificate signing request, what we put here matters.
Especially when we get down to the name of the server and we're going to get to that shortly. So I'm gonna type US because that's the country and state is going to be California. Locality we'll do Los Angeles again. Organization name, Groundswell. Organizational unit again, IT, but again this is different, right? This is a different thing. Common name here, so this is where we would put in the fully qualified domain name of our server, right, and we had said that that was going to be certs.groundswell.com.
Email address, I'm leaving out. Please enter the following extra attributes. A challenge password, you should make this something really good, really solid. I'm simply going to do abc123 because we're teaching. This is not going anywhere. This is totally not real. You would not do that. I'm doing it for ease of remembering it here in the course. Don't ever make a password that short and that easy to remember. And an optional company name, and we're done.
Okay, so what we've just done is we've created our certificate and we've issued the request to the certificate authority that we created in the previous step. In the next step I'm going to show you how to sign the certificate with the certificate authority with yet another set of commands.
- SSL communications
- Certificate authorities
- Public key infrastructures
- Symmetric and asymmetric key pairs
- Cryptographic hash functions
- Encryption algorithms
Start now, and by the end of this course you'll have the knowledge to create SSL certificates, as well as revoke and renew them, from the command line.