KB14265 - Using OpenSSL to Create a CA and Sign the Server Certificate

If you do not have a Certificate Authority to generate a certificate on the PPS, use OpenSSL, as it is free and works well.

The instructions in the Administration Guide are not clear on how to create an OpenSSL certificate. Here is some clarification.

Follow the Administration Guide's instructions on Using OpenSSL to Create a CA and Sign the Server Certificate and use this article as an additional resource. These are the commands, copied directly from the command window,  that were executed to get OpenSSL to work, after installing it.

C:\>cd openssl

C:\OpenSSL>md certs

C:\OpenSSL>cd certs

C:\OpenSSL\certs>md democa

C:\OpenSSL\certs>md democa\newcerts

C:\OpenSSL\certs>edit democa\index.txt

C:\OpenSSL\certs>edit democa\serial

Follow the instructions to place 01 in the serial file, save and exit:

C:\OpenSSL\certs>set path=c:\openssl\bin;%path%

C:\OpenSSL\certs>c: openssl genrsa -out ca.key 1024

C:\OpenSSL\certs>openssl genrsa -out ca.key 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
...........++++++
.........++++++
e is 65537 (0x10001)

C:\OpenSSL\certs>openssl req -new -x509 -days 365 -key ca.key -out demoCA/cacert
.pem

Loading 'screen' into random state - done

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields; but you can leave some of them as blank. For some fields, there will be a default value; If you enter '.', the field will be left blank.

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:Sunnyvale
Organization Name (eg, company) [Internet Widgits Pty Ltd]:XYZ
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:ic.xyz.com
Email Address []:user@xyz.com
 

Create the ic.csr file, as per the instructions in step 6 in Creating and Signing a CSR in the admin guide:

C:\OpenSSL\certs>openssl ca -in ic.csr -out ic.crt -keyfile ca.key

Using configuration from C:\OpenSSL\bin\openssl.cfg
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: May 25 17:17:05 2009 GMT
Not After : May 25 17:17:05 2010 GMT
Subject:
countryName = US
stateOrProvinceName = CA
organizationName = XYZ
organizationalUnitName = IT
commonName = Mark Hansen
emailAddress = mhanse@jtac.juniper.net
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
78:76:55:B3:9A:FC:16:4B:E5:70:9B:2C:1F:A5:0C:D7:84:17:DE:C7
X509v3 Authority Key Identifier:
keyid:69:05:69:0E:B1:2E:DD:64:B4:DD:CA:8C:30:78:47:92:42:F1:D6:D
A

Certificate is to be certified until May 25 17:17:05 2010 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Upload the ic.crt file into the Infranet Controller's pending CSR request, as per the Admin Guide's instructions.