- Download and install the openssl software:
If you are on RH linux, just check if this software is installed using
[openvpn@mia openvpn]# rpm -qi openssl
Name : openssl Relocations: (not relocateable)
Version : 0.9.7a Vendor: Red Hat, Inc.
Release : 5 Build Date: Wed Mar 19 14:13:12 2003
Install Date: Tue Apr 29 12:15:45 2003 Build Host: daffy.perf.redhat.com
Group : System Environment/Libraries Source RPM: openssl-0.9.7a-5.src.rpm
Size : 2608270 License: BSDish
Signature : DSA/SHA1, Fri Mar 28 19:30:55 2003, Key ID 219180cddb42a60e
Packager : Red Hat, Inc.
URL : http://www.openssl.org/
Summary : The OpenSSL toolkit.
Description :
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and
protocols.
(Most of the time it comes installed.. Most of the things that i have said below might be applicable to RH 9.0)
- Openssl has a global configuration file that it uses. To find out the location of this file use
sshvpn@mia:~> openssl ca
Using configuration from /usr/share/ssl/openssl.cnf
---SNIP--
This file has some useful sections.. Take a look at it. Pretty much self explanatory.
Let us now start making our own Certificate Authority.
- Create the required directories first. You can create such directories anywhere.. I preferred to create my CA in
/etc/CertAuth
mia#> cd /etc
mia#> mkdir CertAuth; cd CertAuth
mia#> mkdir certs; mkdir private
mia#> chmod 700 private
mia#> echo '01' > serial
mia#> touch index.txt
- Copy the following file to /etc/CertAuth/openssl.cnf
(You can even copy from /usr/share/ssl/openssl.cnf, and edit it to match the below)
#
# OpenSSL example configuration file.
#The original configuration file is in /usr/share/ssl/openssl.cnf
#
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/CertAuth # Where everything is kept
certificate = $dir/cacert.pem # The CA certificate
database = $dir/index.txt # database index file.
new_certs_dir = $dir/certs # default place for new certs.
private_key = $dir/private/cakey.pem# The private key
certs = $dir/certs # Where the issued certs are kept
serial = $dir/serial # The current serial number
crl_dir = $dir/crl # Where the issued crl are kept
default_days = 700 # how long to certify for
default_crl_days= 300 # how long before next CRL
default_md = md5 # which md to use.
policy = CertAuthCA_policy
x509_extensions = certificate_extensions # The extentions to add to the cert
# For the CA policy
[ CertAuthCA_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = supplied
emailAddress = supplied
organizationName = supplied
organizationalUnitName = optional
[ certificate_extensions ]
basicConstraints=CA:FALSE
####################################################################
[ req ]
default_bits = 2048
default_keyfile = /etc/CertAuth/private/cakey.pem
defualt_md = md5
prompt = no
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
[ root_ca_distinguished_name ]
commonName = Certificate Authority Created by Shashank Khanvilkar
stateOrProvinceName = Illinois
countryName = US
emailAddress = shashank@evl.uic.edu
organizationName = Root Certification Authority
[ root_ca_extensions ]
basicConstraints = CA:true
- Set the environment variable OPENSSL_CONF
You can put this variable permanently in the root's .tcshrc as
setenv OPENSSL /etc/CertAuth/openssl.cnf
------- OR -------
You can add the following on every openssl command line
-config /etc/CertAuth/openssl.cnf
I prefer the first method.
- Create a root certificate: Use the follwing command:
mia#> openssl req -x509 -newkey rsa -out cacert.pem -outform PEM -days 10000
Generating a 2048 bit RSA private key
..........................................................................................+++
................................................................................................................+++
writing new private key to '/etc/CertAuth/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
If you are not sure about the above command use man req and it will tell you about
all the options. However a few things need to be clarified. The -x509 option is used
to create a new certificate. While genrating a new certificate for oneself, it also generates
a Private key (/etc/CertAuth/private/cakey.pem), encrypted by the passphrase and
a publick key, which is placed at the bottom of cacert.pem. The "-days" option makes sure that
the certificate will be valid for a very very long time.
cacert.pem must be distributed to all users.
- View the root certificate, to make sure that you are using the right config file, and the certificate remains
valid for a long time. NOTE: The actual cacert.pem file only contains the lines
-----BEGIN CERTIFICATE-----
MIID4zCCAsugAwIBAgIBADANBgkqhkiG9w0BAQQFADCBqzE9MDsGA1UEAxM0Q2Vy
dGlmaWNhdGUgQXV0aG9yaXR5IENyZWF0ZWQgYnkgU2hhc2hhbmsgS2hhbnZpbGth
cjERMA8GA1UECBMISWxsaW5vaXMxCzAJBgNVBAYTAlVTMSMwIQYJKoZIhvcNAQkB
FhRzaGFzaGFua0BldmwudWljLmVkdTElMCMGA1UEChMcUm9vdCBDZXJ0aWZpY2F0
aW9uIEF1dGhvcml0eTAeFw0wMzA1MTUyMjMzNDFaFw0zMDA5MzAyMjMzNDFaMIGr
MT0wOwYDVQQDEzRDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgQ3JlYXRlZCBieSBTaGFz
aGFuayBLaGFudmlsa2FyMREwDwYDVQQIEwhJbGxpbm9pczELMAkGA1UEBhMCVVMx
IzAhBgkqhkiG9w0BCQEWFHNoYXNoYW5rQGV2bC51aWMuZWR1MSUwIwYDVQQKExxS
b290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA46Z1j1L4OeN5PIHsJHa+CfCAhyKfo7NgkZ83c8/5diUTaZW8
wXp8atCJ3UyzJlXnh5VSllQ8pdhQkYQSU56r4cGGdGjDzsd0B6G+OXuAmUANOFVZ
MRj5ALcquozzaUCN8WCaaDFszP9atKtC22fEEVbNa731AS6f6HFbDCTpP54HKIEo
hOt5rpWF++H2tv81vYFzrcFSMDIOSc1EFuuXpQZqM7DeuW3fjl1uqas+3N7rOsKr
GZehlgvHPsww5ZsQ2N8AB/sCGYK+GiQHmEYFTyR42kQM+kuTIKsxbQjijOv1gpQJ
BMMNuqBb96dTj3FfbbBHi+Sizr95blxMiiNjhQIDAQABoxAwDjAMBgNVHRMEBTAD
AQH/MA0GCSqGSIb3DQEBBAUAA4IBAQCSaec9qKlzevAWFZbPaRr2FOR4FWdtpPuF
OufuR6YksasQgAYVQOYTA3L2Vdi3/Vx8HDG/U6GC/Kebg8z1Cbn/c6UHKokQo/hk
0D9PbgNxBvKvXaCNWc1a4Qi7yhXIBaptdqaJ0YtrAzlDIaS+IZVUM16ncYxqgcAL
kYNwMlwMlh7IcbrnIre3+9BAjflivEQWTjccWXqkjSnbwBg698yJA/N1O6/vMOhO
yNQwWmVf9EcE0tqsp3nBuVZZEefwSobxLgWp0vyV4uL7Yd19vHcHukwwDkay5g7X
B03Gm+N5WsAyCDPIXq763z3VCDi2eHcK48moL5/Qx61Ti6V3Eq0s
-----END CERTIFICATE-----
However to read the contents of this certificate we need to issue the following command.
U can see the Public key, and
other details...The -text option prints out everything..
The -noout option prevents openssl from printing the contents of the cacert.pem file again.
Some more specific options are
-serial - print serial number value
-hash - print hash value
-subject - print subject DN
-issuer - print issuer DN
-email - print email address(es)
-startdate - notBefore field
-enddate - notAfter field
-purpose - print out certificate purposes
-dates - both Before and After dates
-modulus - print the RSA key modulus
-pubkey - output the public key
-fingerprint - print the certificate fingerprint
-alias - output certificate alias
Below I have listed the CA certificate in a more readable format.
mia#> openssl x509 -in cacert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: CN=Certificate Authority Created by Shashank Khanvilkar, ST=Illinois, C=US/emailAddress=shashank@evl.uic.edu, O=Root Certification Authority
Validity
Not Before: May 15 22:33:41 2003 GMT
Not After : Sep 30 22:33:41 2030 GMT
Subject: CN=Certificate Authority Created by Shashank Khanvilkar, ST=Illinois, C=US/emailAddress=shashank@evl.uic.edu, O=Root Certification Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:e3:a6:75:8f:52:f8:39:e3:79:3c:81:ec:24:76:
be:09:f0:80:87:22:9f:a3:b3:60:91:9f:37:73:cf:
f9:76:25:13:69:95:bc:c1:7a:7c:6a:d0:89:dd:4c:
b3:26:55:e7:87:95:52:96:54:3c:a5:d8:50:91:84:
12:53:9e:ab:e1:c1:86:74:68:c3:ce:c7:74:07:a1:
be:39:7b:80:99:40:0d:38:55:59:31:18:f9:00:b7:
2a:ba:8c:f3:69:40:8d:f1:60:9a:68:31:6c:cc:ff:
5a:b4:ab:42:db:67:c4:11:56:cd:6b:bd:f5:01:2e:
9f:e8:71:5b:0c:24:e9:3f:9e:07:28:81:28:84:eb:
79:ae:95:85:fb:e1:f6:b6:ff:35:bd:81:73:ad:c1:
52:30:32:0e:49:cd:44:16:eb:97:a5:06:6a:33:b0:
de:b9:6d:df:8e:5d:6e:a9:ab:3e:dc:de:eb:3a:c2:
ab:19:97:a1:96:0b:c7:3e:cc:30:e5:9b:10:d8:df:
00:07:fb:02:19:82:be:1a:24:07:98:46:05:4f:24:
78:da:44:0c:fa:4b:93:20:ab:31:6d:08:e2:8c:eb:
f5:82:94:09:04:c3:0d:ba:a0:5b:f7:a7:53:8f:71:
5f:6d:b0:47:8b:e4:a2:ce:bf:79:6e:5c:4c:8a:23:
63:85
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
92:69:e7:3d:a8:a9:73:7a:f0:16:15:96:cf:69:1a:f6:14:e4:
78:15:67:6d:a4:fb:85:3a:e7:ee:47:a6:24:b1:ab:10:80:06:
15:40:e6:13:03:72:f6:55:d8:b7:fd:5c:7c:1c:31:bf:53:a1:
82:fc:a7:9b:83:cc:f5:09:b9:ff:73:a5:07:2a:89:10:a3:f8:
64:d0:3f:4f:6e:03:71:06:f2:af:5d:a0:8d:59:cd:5a:e1:08:
bb:ca:15:c8:05:aa:6d:76:a6:89:d1:8b:6b:03:39:43:21:a4:
be:21:95:54:33:5e:a7:71:8c:6a:81:c0:0b:91:83:70:32:5c:
0c:96:1e:c8:71:ba:e7:22:b7:b7:fb:d0:40:8d:f9:62:bc:44:
16:4e:37:1c:59:7a:a4:8d:29:db:c0:18:3a:f7:cc:89:03:f3:
75:3b:af:ef:30:e8:4e:c8:d4:30:5a:65:5f:f4:47:04:d2:da:
ac:a7:79:c1:b9:56:59:11:e7:f0:4a:86:f1:2e:05:a9:d2:fc:
95:e2:e2:fb:61:dd:7d:bc:77:07:ba:4c:30:0e:46:b2:e6:0e:
d7:07:4d:c6:9b:e3:79:5a:c0:32:08:33:c8:5e:ae:fa:df:3d:
d5:08:38:b6:78:77:0a:e3:c9:a8:2f:9f:d0:c7:ad:53:8b:a5:
77:12:ad:2c
- Users generating a certificate request:
Now we have a certificate authority. But some user who wants to get his certificate signed from us,
has to generate a certificate request. I will assume that I am user "sshvpn".
here are the list of commands that i will follow...
Two files are created testkey.pem and testreq.pem
- testkey.pem ==> private key generated for the user
(protected by the pass phrase.. usually I will not provide a passphrase
as i need to use this for automatic creation without user intervention. To do this,
I have to provide the -nodes option on the command line.)
- testreq.pem ==> request to be sent to the CA for being accepted.
Here goes..
sshvpn@mia:~> openssl req -newkey rsa:1024 -keyout testkey.pem -keyform PEM -out testreq.pem -outform PEM -nodes
Generating a 1024 bit RSA private key
.........................++++++
.++++++
writing new private key to 'testkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Illinois
Locality Name (eg, city) [Newbury]:Chicago
Organization Name (eg, company) [My Company Ltd]:UIC
Organizational Unit Name (eg, section) []:ECE
Common Name (eg, your name or your server's hostname) []:Shashank Khanvilkar
Email Address []:skhanv1@uic.edu
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:i am a good boy
An optional company name []: PRESS ENTER
We show below the testreq.pem file
sshvpn@mia:~> openssl req -in testreq.pem -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=Illinois, L=Chicago, O=UIC, OU=ECE, CN=Shashank Khanvilkar/emailAddress=skhanv1@uic.edu
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b2:9b:8d:04:3c:21:54:6f:b1:99:9f:35:2b:79:
2b:72:cb:4c:4d:6a:fa:87:98:a3:dd:3c:fe:bd:c8:
38:42:f8:ef:c5:88:03:6e:0f:86:97:e2:51:bb:40:
f4:e8:95:f8:2b:2e:37:31:74:c1:ff:34:fd:5c:fe:
31:3b:ab:af:10:bf:9d:14:c0:41:99:6f:b7:44:af:
62:73:a9:da:d1:3b:01:9c:a2:06:80:e5:01:4d:ad:
ef:a1:0d:11:9f:64:6f:d0:c1:63:fe:44:f9:00:7a:
ff:a6:c0:8d:b4:56:05:d0:bf:73:92:aa:8c:71:da:
a4:a0:45:05:d0:37:db:af:85
Exponent: 65537 (0x10001)
Attributes:
challengePassword :i am a good boy
Signature Algorithm: md5WithRSAEncryption
a5:c1:6b:1d:fe:e6:3f:2a:ce:d7:b2:62:cd:1a:b7:d1:bc:9d:
1b:c9:0b:f8:9b:c3:cf:71:72:b0:da:e8:d8:90:2a:ff:dd:64:
3b:97:59:97:e8:a3:df:ba:9f:96:d8:4a:47:d8:0c:b4:f1:74:
ee:aa:35:cf:67:d4:c1:0a:4c:af:fc:e7:c2:7e:1f:aa:5b:b5:
8b:f9:ae:bd:e6:21:0e:af:09:b7:26:a6:71:4a:db:4a:d8:37:
39:d5:28:96:b9:39:9f:39:ba:53:c7:df:30:e6:a4:37:ae:25:
9e:69:21:a4:3a:ad:d6:88:05:d1:e1:8f:ad:a2:15:7f:46:83:
78:12
-----BEGIN CERTIFICATE REQUEST-----
MIIB7TCCAVYCAQAwgYwxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhJbGxpbm9pczEQ
MA4GA1UEBxMHQ2hpY2FnbzEMMAoGA1UEChMDVUlDMQwwCgYDVQQLEwNFQ0UxHDAa
BgNVBAMTE1NoYXNoYW5rIEtoYW52aWxrYXIxHjAcBgkqhkiG9w0BCQEWD3NraGFu
djFAdWljLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAspuNBDwhVG+x
mZ81K3krcstMTWr6h5ij3Tz+vcg4QvjvxYgDbg+Gl+JRu0D06JX4Ky43MXTB/zT9
XP4xO6uvEL+dFMBBmW+3RK9ic6na0TsBnKIGgOUBTa3voQ0Rn2Rv0MFj/kT5AHr/
psCNtFYF0L9zkqqMcdqkoEUF0Dfbr4UCAwEAAaAgMB4GCSqGSIb3DQEJBzEREw9p
IGFtIGEgZ29vZCBib3kwDQYJKoZIhvcNAQEEBQADgYEApcFrHf7mPyrO17JizRq3
0bydG8kL+JvDz3FysNro2JAq/91kO5dZl+ij37qflthKR9gMtPF07qo1z2fUwQpM
r/znwn4fqlu1i/muveYhDq8JtyamcUrbStg3OdUolrk5nzm6U8ffMOakN64lnmkh
pDqt1ogF0eGPraIVf0aDeBI=
-----END CERTIFICATE REQUEST-----
Send the testreq.pem file as an attachment in email to the CA ... (or just copy it to /etc/CertAuth)
- Issuing the certificate: The CA should verify that the certifiacte comes from the right
person and issue it using the following command.
It is recommended that u use the "-notext" and "-out testcert.cert" option. This will not print any output to stdout..
and make a copy of the certificate in the file testcert.cert in the current directory..
This way you will not have to search the certs/ directory for the new certifcate.
mia#> openssl ca -in testreq.pem -notext -out testcert.cert
Using configuration from /etc/CertAuth/openssl.cnf
Enter pass phrase for /etc/CertAuth/private/cakey.pem:secretcode
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'Illinois'
localityName :PRINTABLE:'Chicago'
organizationName :PRINTABLE:'UIC'
organizationalUnitName:PRINTABLE:'ECE'
commonName :PRINTABLE:'Shashank Khanvilkar'
emailAddress :IA5STRING:'skhanv1@uic.edu'
Certificate is to be certified until Apr 14 22:54:31 2005 GMT (700 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
- Return the signed certificate (testcert.cert, in our above example) to the owner.
- The signed certifiate contains a lot of information. You can peek inside by using the following command:
[openvpn@mia certificates]# openssl x509 -in testcert.cert -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 7 (0x7)
Signature Algorithm: md5WithRSAEncryption
Issuer: CN=Certificate Authority Created by Shashank Khanvilkar, ST=Illinois, C=US/emailAddress=shashank@evl.uic.edu, O=Root Certification Authority
Validity
Not Before: Jun 4 18:26:30 2003 GMT
Not After : May 4 18:26:30 2005 GMT
Subject: CN=openvpn, ST=Illinois, C=US/emailAddress=openvpn@mia.ece.uic.edu, O=UIC, OU=ECE
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b1:a3:76:cd:69:d0:dd:f4:d6:3b:bc:56:3c:95:
ad:3b:dd:92:0a:fe:9f:83:fa:ca:25:47:10:49:25:
e3:81:6f:4d:bf:18:c1:57:1d:e9:56:bd:fb:25:36:
0e:31:d0:be:71:2c:82:2d:e4:2b:20:5f:bf:2a:25:
ab:7d:c4:6e:43:8c:ce:b0:cd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Signature Algorithm: md5WithRSAEncryption
b8:e9:56:0d:36:0c:76:fc:1c:8e:77:7e:42:6d:5e:b6:98:ad:
64:d1:ca:14:60:dc:92:9b:d5:60:59:11:82:99:15:4f:95:76:
ab:72:58:8d:de:03:a4:fb:6d:1c:31:2c:17:16:21:fc:12:7e:
22:7a:ae:27:72:af:29:f0:3c:39:aa:21:79:6b:53:8c:2d:b2:
bf:fd:f4:1a:77:c3:99:4b:e3:c1:24:1f:41:71:54:8f:ee:ff:
ce:b1:d9:06:db:8d:70:81:e4:4f:07:0c:05:93:5c:3d:74:9a:
ad:be:33:52:5a:c9:5a:d7:67:5f:b2:7b:cd:b4:39:74:ef:99:
ee:ac:85:49:27:4f:83:cb:16:14:7b:39:a2:f8:11:f1:4a:7e:
a4:65:af:a6
-----BEGIN CERTIFICATE-----
MIIDJjCCAg6gAwIBAgIBBzANBgkqhkiG9w0BAQQFADCBqzE9MDsGA1UEAxM0Q2Vy
dGlmaWNhdGUgQXV0aG9yaXR5IENyZWF0ZWQgYnkgU2hhc2hhbmsgS2hhbnZpbGth
cjERMA8GA1UECBMISWxsaW5vaXMxCzAJBgNVBAYTAlVTMSMwIQYJKoZIhvcNAQkB
FhRzaGFzaGFua0BldmwudWljLmVkdTElMCMGA1UEChMcUm9vdCBDZXJ0aWZpY2F0
aW9uIEF1dGhvcml0eTAeFw0wMzA2MDQxODI2MzBaFw0wNTA1MDQxODI2MzBaMHYx
EDAOBgNVBAMTB29wZW52cG4xETAPBgNVBAgTCElsbGlub2lzMQswCQYDVQQGEwJV
UzEmMCQGCSqGSIb3DQEJARYXb3BlbnZwbkBtaWEuZWNlLnVpYy5lZHUxDDAKBgNV
BAoTA1VJQzEMMAoGA1UECxMDRUNFMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQCxo3bNadDd9NY7vFY8la073ZIK/p+D+solRxBJJeOBb02/GMFXHelWvfslNqDx
u34BzVFyu4AuXpvJ5uxmHBVApsRViXFc2t+k2xcHQXIELHKv6IrdkW50LFfSlxVv
Bxqc4g3q+Sh3EA4x0L5xLIIt5CsgX78qJat9xG5DjM6wzQIDAQABow0wCzAJBgNV
HRMEAjAAMA0GCSqGSIb3DQEBBAUAA4IBAQC46VYNNgx2/ByOd35CbV62mK1k0coU
-----END CERTIFICATE-----
- A simple cat on testcert.cert will reveal:
[openvpn@mia]# cat testcert.cert
-----BEGIN CERTIFICATE-----
MIIDJjCCAg6gAwIBAgIBBzANBgkqhkiG9w0BAQQFADCBqzE9MDsGA1UEAxM0Q2Vy
dGlmaWNhdGUgQXV0aG9yaXR5IENyZWF0ZWQgYnkgU2hhc2hhbmsgS2hhbnZpbGth
cjERMA8GA1UECBMISWxsaW5vaXMxCzAJBgNVBAYTAlVTMSMwIQYJKoZIhvcNAQkB
FhRzaGFzaGFua0BldmwudWljLmVkdTElMCMGA1UEChMcUm9vdCBDZXJ0aWZpY2F0
aW9uIEF1dGhvcml0eTAeFw0wMzA2MDQxODI2MzBaFw0wNTA1MDQxODI2MzBaMHYx
EDAOBgNVBAMTB29wZW52cG4xETAPBgNVBAgTCElsbGlub2lzMQswCQYDVQQGEwJV
UzEmMCQGCSqGSIb3DQEJARYXb3BlbnZwbkBtaWEuZWNlLnVpYy5lZHUxDDAKBgNV
BAoTA1VJQzEMMAoGA1UECxMDRUNFMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQCxo3bNadDd9NY7vFY8la073ZIK/p+D+solRxBJJeOBb02/GMFXHelWvfslNqDx
u34BzVFyu4AuXpvJ5uxmHBVApsRViXFc2t+k2xcHQXIELHKv6IrdkW50LFfSlxVv
Bxqc4g3q+Sh3EA4x0L5xLIIt5CsgX78qJat9xG5DjM6wzQIDAQABow0wCzAJBgNV
HRMEAjAAMA0GCSqGSIb3DQEBBAUAA4IBAQC46VYNNgx2/ByOd35CbV62mK1k0coU
YNySm9VgWRGCmRVPlXarcliN3gOk+20cMSwXFiH8En6xoqPd8F70UKr5lzxIhkWH
EvPySfQgVU/3aVFNTQi5y/ln2F5Y8OR1sKEzq00NvluQ/XyukJmCz0tN8KUNyyae
IiDeSJM9MZKVMkLcXF8wsEVzq6nlDTYShiWx0PSKSHxMrVftO3ZVpVAygZIieq4n
cq8p8Dw5qiF5a1OMLbK//fQad8OZS+PBJB9BcVSP7v/OsdkG241wgeRPBwwFk1w9
dJqtvjNSWsla12dfsnvNtDl075nurIVJJ0+DyxYUezmi+BHxSn6kZa+m
-----END CERTIFICATE-----
- I use this file testcert.cert for sending my certificates to my peer.
- Revoking a certificates:I don't have much idea about revoking, but I know that i have to use the
following two commands. The -keyfile and -cert option are not necessary if you have set the
OPENSSL_CONF shell variable.
#openssl ca -gencrl -keyfile /etc/CertAuth/private/cakey.pem -cert /etc/CertAuth/cacert.pem -out my_crl.pem
#openssl ca -revoke /etc/CertAuth/certs/bad_crt_file -keyfile /etc/CertAuth/private/cakey.pem -cert /etc/CertAuth/cacert.pem