A Certificate Authority create certificates by signing Certificate Signing Requests (CSR). By signing a CSR the Certificate Authority vouches that the certificate information (common name, etc) in a CSR is valid and trustworthy.
Prerequisite: Create a Certificate Authority
Prerequisite: Obtain Certificate Signing Request (CSR) to sign, e.g.
This option applies if the certificate is intended to identify a network server, using a network security protocol such as SSL, PCT or TLS; or application security protocols such as HTTPS.
The configuration file opensslconf_ca.txt should contain an extension section for server authentication, i.e.
[ v3_server ] basicConstraints=CA:FALSE extendedKeyUsage=serverAuth
The certificate is then signed using the following command:
openssl ca -config opensslconf_ca.txt -in server.csr -extensions v3_server
Finally, Sign, commit and save certificate.
This option applies if you are generating a certificate intended for ClickOnce Deployment.
1. To use certificates signed by your own Certification Authority, the
Certification Authority must be added to Trusted Root Certification Authorities
on the target computer. You have to use the Certificate Manager Tool (Certmgr.exe).
The ca.cer is added to Trusted Root Certification Authorities on the
target computer using the following command:
CertMgr.exe -all /add ca.cer /s /r localMachine root
2. The configuration file opensslconf_ca.txt should contain an extension section for code signing, i.e.
[ v3_codesign ] basicConstraints=CA:FALSE extendedKeyUsage=codeSigning,msCodeInd,msCodeCom
The certificate is then signed using the following command:
openssl ca -config opensslconf_ca.txt -in clickonce.csr -extensions v3_codesign
Finally, Sign, commit and save certificate.
These certificate does not have any stated purpose, and can as test certificate be used for anything, e.g. server authentication. However, some software may behave unexpectedly when using an obsolete X.509 multi-purpose certificate; importantly Microsoft .NET Framework and ClickOnce will not allow these certificates in the Trusted Publisher store.
openssl ca -config opensslconf_ca.txt -in cert_request.csr
Finally, Sign, commit and save certificate.
Once you have issued the appropriate command to sign the certificate, validate that the information OpenSSL shows about the CSR file is correct. If anything appears to be invalid or suspicious, do not sign the certificate; abort. If the information appears valid, sign the certificate by answering "y" (yes) to two questions:
Sign the certificate? [y/n]. Answer y (yes).
1 out of 1 certificate requests certified, commit? [y/n]. Answer
y (yes).
The most recently created .pem-file ( 01.pem, 02.pem, ...) is the certificate. This file format is accepted by e.g. Apache web server, Oracle Wallet Manager, etc The certificate will also be shown in text representation, for example:
-----BEGIN CERTIFICATE----- MIICGTCCAYICAQEwDQYJKoZIhvcNAQEEBQAwWDELMAkGA1UEBhMCR0IxDTALBgNV BAgTBFRlc3QxDTALBgNVBAcTBFRlc3QxDTALBgNVBAoTBFRlc3QxDTALBgNVBAsT BFRlc3QxDTALBgNVBAMTBFRlc3QwHhcNMDYwODA5MDgyNzE1WhcNMDcwODA5MDgy NzE1WjBSMQswCQYDVQQGEwJHQjENMAsGA1UECBMEVGVzdDENMAsGA1UEChMEVGVz dDENMAsGA1UECxMEVGVzdDEWMBQGA1UEAxMNMTAuMTI4Ljk2LjExNzCBnzANBgkq hkiG9w0BAQEFAAOBjQAwgYkCgYEA5UU8QYLRMVIRuHEaSfLoUaK17pE5OBBC/k5L 14ENT/J1beZMSKqEsw3CHUY5FHRvYRlz0x7c6TLD6AaqfoqdM7VI9T1GjHMdJdcy AnkfMETWvpuubo/NG+QcU040OupsxH25zmblclSxic+c2KBnPAlg9uSf6ln25gvT r8q5CMMCAwEAATANBgkqhkiG9w0BAQQFAAOBgQAb5G0fU/c0ixSwds9OUNHTkr5m x5rqI21OXyoNzEU45Y0Xwlr13eFp6ifkDbkKHDZmwLYLQph0Hif6yKWr8C7cA6cZ MVQMB3796ncMxJo/GpKLAvKhWMowPVM8BQnnb6LVyruCiIqqzPomjduXeziVo2/Z ASOJQOsjBnYYWQszew== -----END CERTIFICATE-----
This text representation is sometimes useful since it can be cut & pasted into
SSH / Telnet consoles on UNIX servers, or be e-mailed as text. It may also be
needed when importing into Microsoft products, since several Microsoft import
tools have problems importing the files created with openssl ca, since these files also includes a human-readable preamble before the actual certificate.
An option to cut & paste the certificate into a text file, is to let OpenSSL strip the .pem certificate file from the additional text (which confuses some Microsoft products) and store a plain certificate into a .cer file. This is done like this:
openssl x509 -in 06.pem -inform PEM -out server.cer -outform PEM
where 06.pem is replaced by the actual certificate file created by
openssl ca and server.cer is replaced by the filename
intended for the new (Microsoft friendlier) certificate file.