Re: Newbie question

Sun, 24 Oct 1999 23:36:27 -0700 


Hello.

If you want a decent documentation of how to set up a CA using OpenSSL
you should have a look at

http://www.cert.dfn.de/dfnpca/certify/ssl/handbuch/

It covers only OpenSSL 0.9.2 but there aren't that many changes anyway. 
BUT if you don't understand any german you're out of luck.

Anyway, here are the basic steps for creating a self-signed certificate
and for using that certificate to create a user cert. and import it into
Netscape. I'll give you just the raw commands, you'll have to dig for
the deep knowledge that's behind it. Tell me if you find something...


Create a self signed cert:

1. create a public/private key pair:
> openssl genrsa -des3 -out CAkey.pem 2048
2. create auto-signed request:
> openssl req -new -x509 -days 730 -key CAkey.pem -out CAcert.pem
CAcert.pem is you new root-cert.

Create a user cert and sign it:
1. create key:
> openssl genrsa -des3 -out userkey.pem 1024
2. create request:
> openssl req -new -key userkey.pem -out userreq.pem
3. sign it:
> openssl ca -in userreq.pem -out usercert.pem
4. transform into pkcs12 format in order to import it into browser:
> openssl pkcs12 -export -name "Name your User Cert" -in usercert.pem -inkey 
>userkey.pem -out exportcert.p12

Remember, there are many options, this is just the basic stuff. But it
should work.

Any corrections are welcome!

gilles


Joe Schiavone wrote:
> 
> Hi,
> 
>         Am in same status as u.  Ifn u get any good replys,
>         would u mind forwarding to me?  SO far I have been
>         able to create certificates and Certificate CA, but
>         cannot get a client certificate to import into
>         Netscape..
> >
> >Hi.
> >
> >I am a newbie to the OpenSSL system, so I hoped somebody would like to
> >help me a bit :-)
> >
> > I have just managed to compile it and partial install it, but I misses
> >some kind of documentation on how to set up a new set of certificates
> >from scratch. What I am looking for is a simple step-by-step todo list,
> >with commands and basic options. Shouldn't this kind of information be
> >available from the Documents section on the OpenSSL website ?
> >
> >Best regards.
> >-Terje Tessem-
> >[EMAIL PROTECTED]

S/MIME Cryptographic Signature

Reply via email to