Difference between revisions of "Manual:Create Certificates"

From MikroTik Wiki
Jump to navigation Jump to search
(Created page with '<div class=manual> Following is a step-by-step guide to creating your own CA (Certificate Authority) with openssl on Linux. ==Generate certificates== <ul> <li> First step is to…')
 
Line 35: Line 35:


</ul>
</ul>
To examine certificate run following command:
<pre>
openssl x509 -noout -text -in server.crt -purpose
</pre>


==Import certificates==
==Import certificates==

Revision as of 10:52, 31 May 2010

Following is a step-by-step guide to creating your own CA (Certificate Authority) with openssl on Linux.

Generate certificates

  • First step is to build the CA private key and CA certificate pair.
    openssl genrsa -des3 -out ca.key 4096
    openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
    

    During the process you will have to fill few entries (Common Name (CN), Organization, State or province .. etc). Created CA certificate/key pair will be valid for 10 years (3650 days).

  • Now create private-key/certificate pair for the server
    openssl genrsa -des3 -out server.key 4096
    openssl req -new -key server.key -out server.csr
    
    openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
    

    And again during the process you will have to fill some entries. When filling CN remember that it must not match on CA and server certificate otherwise later naming collision will occur.

    Icon-note.png

    Note: Common Name (CN) should match the DNS name, or the IP address of your server otherwise you will get "domain mismatch" message and for example Windows SSTP client will not be able to connect to the server.


  • Client key/certificate pair creation steps are very similar to server. Remember to Specify unique CN.
    openssl genrsa -des3 -out client.key 4096
    openssl req -new -key client.key -out client.csr
    
    openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
    

To examine certificate run following command:

openssl x509 -noout -text -in server.crt -purpose

Import certificates

[ Top | Back to Content ]