Follow the
Administration Guide's instructions on
Using OpenSSL to Create a CA and Sign the Server Certificate and use this article as an additional resource. These are the commands, copied directly from the command window, that were executed to get OpenSSL to work, after installing it.
C:\>cd openssl
C:\OpenSSL>md certs
C:\OpenSSL>cd certs
C:\OpenSSL\certs>md democa
C:\OpenSSL\certs>md democa\newcerts
C:\OpenSSL\certs>edit democa\index.txt
C:\OpenSSL\certs>edit democa\serial
Follow the instructions to place
01 in the serial file, save and exit:
C:\OpenSSL\certs>set path=c:\openssl\bin;%path%
C:\OpenSSL\certs>c: openssl genrsa -out ca.key 1024
C:\OpenSSL\certs>openssl genrsa -out ca.key 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
...........++++++
.........++++++
e is 65537 (0x10001)
C:\OpenSSL\certs>openssl req -new -x509 -days 365 -key ca.key -out demoCA/cacert
.pem
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields; but you can leave some of them as blank. For some fields, there will be a default value; If you enter
'.', the field will be left blank.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:Sunnyvale
Organization Name (eg, company) [Internet Widgits Pty Ltd]:XYZ
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:ic.xyz.com
Email Address []:user@xyz.com
Create the
ic.csr file, as per the instructions in step 6 in
Creating and Signing a CSR in the admin guide:
C:\OpenSSL\certs>
openssl ca -in ic.csr -out ic.crt -keyfile ca.key
Using configuration from C:\OpenSSL\bin\openssl.cfg
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: May 25 17:17:05 2009 GMT
Not After : May 25 17:17:05 2010 GMT
Subject:
countryName = US
stateOrProvinceName = CA
organizationName = XYZ
organizationalUnitName = IT
commonName = Mark Hansen
emailAddress = mhanse@jtac.juniper.net
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
78:76:55:B3:9A:FC:16:4B:E5:70:9B:2C:1F:A5:0C:D7:84:17:DE:C7
X509v3 Authority Key Identifier:
keyid:69:05:69:0E:B1:2E:DD:64:B4:DD:CA:8C:30:78:47:92:42:F1:D6:D
A
Certificate is to be certified until May 25 17:17:05 2010 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Upload the ic.crt file into the Infranet Controller's pending CSR request, as per the Admin Guide's instructions.