A/I Orange Book (1.0): An how-to for the realization of a resilient network of self-managed servers
PrevChapter 7. Certification AuthorityNext

7.3. Certificates

Now we can create our certificates request (for example the web certificate): 

	$ openssl req -new -keyout $CADIR/certs/web_key.pem \
	    -out $CADIR/certs/web_req.pem -days 1097 -nodes
During the creation process, we will be asked the OU and the CN that are to be filled with the type of service and the dn the service refers to.

The subjectAltName (nice X.509v3 extensions) will be specified in the /opt/ca/ext file and will be added to the certificate when the request will be signed with the CA root certificate.

The -nodes option allows us to avoid the encryption of the key, so that we do not need to fill in a passphrase during the management and use of the key itself. In case we give a request without this option, the passphrase deleting from the key can be achieved by typing the following command: 

	$ openssl rsa -in $CADIR/certs/web_key.pem \
	    -out $CADIR/certs/web_key.pem

Let's see how we ask for a certificate: 

	$ openssl req -text -noout -in $CADIR/certs/web_req.pem
We can now sign it: 
	$ openssl ca -days 1097 -policy policy_anything \
	    -out $CADIR/certs/web_cert.pem \
	    -extfile $CADIR/ext/webserver.ext \
	    -infiles $CADIR/certs/web_req.pem

Now we can delete the web_req.pem file and move the web_cert.pem certificate and its key to all servers.

Let's see how the certificate has been changed: 

	$ openssl x509 -text -noout -in $CADIR/certs/web_cert.pem
We can see that some extensions have been added (as defined in the /opt/ca/ext/webserver.ext file). This is the content of the file: 
basicConstraints        = CA:false
nsCertType              = server
keyUsage                = nonRepudiation, digitalSignature, \
                          keyEncipherment, dataEncipherment
extendedKeyUsage        = serverAuth
nsComment               = "web services"
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid, issuer:always
subjectAltName          = @subject_alt_name
issuerAltName           = issuer:copy
nsCaRevocationUrl       = http://domain.org/crl/cacrl.crl
nsRevocationUrl         = http://domain.org/crl/cacrl.crl
crlDistributionPoints   = @cdp_section


[ subject_alt_name ]
DNS.1=domain.org
DNS.2=www.domain.org
DNS.3=altro.domain.org
email=copy

[ cdp_section ]
URI.1=http://domain.org/crl/cacrl.crl

In order to create certificates for all other services, you just need to change appropriately request, key and certificate names.

PrevHomeNext
CA creationUpRevoking and CRL