Rate this Content

 
 
 
 
 
 
 
Rate
 
 
 
 
 
 
0 Rates
0 %
1
5
0
 

How to generate a CA/SSL certificate for SConnect?

Applies to

SA Server 4.x / IDConfirm 1000 5.x and above

Content

When using Sconnect, a valid license file must be available.

This license file must be generated with the SSL certificate of the site that will host the license.

Another constraint is that the root certificate must be "importable" into firefox. Therefore the Root certificate must be generated with some specific attribute

Please find below a procedure that will create a Root certificate and the SLL certificate.

Attributes are defined in files described hereunder :

Create a file call RootCertificate.cnf with the following content:

[ req ]

default_bits = 2048

default_keyfile = ./RootCertificate.pem

default_md = sha1

prompt = no

distinguished_name = root_ca_distinguished_name

x509_extensions = v3_ca

[ root_ca_distinguished_name ]

commonName = Test Root Certificate

[ v3_ca ]

basicConstraints = CA:TRUE

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid:always,issuer:always

keyUsage = cRLSign, keyCertSign

nsCertType = sslCA, emailCA

 

Create a file called RootCertificate.srl and that only contain 1 line with the number :

1

This value will be associated to the generated certificate. If you generate several certificates, this value should be changed.

Create a file called SSLCertificate.cnf that contains:

[ req ]

default_bits = 2048

default_md = sha1

prompt = no

distinguished_name = devlocalhost_distinguished_name

[ devlocalhost_distinguished_name ]

commonName = ssl.test

Please note that the commonName field must be the name used to reached the SSL server . In the current case, the SSL server name is ssl.test but this can be replaced by any valid name.

 

Here are the now the steps to generate a root certificate and the ssl certificate using openssl commands:

 

Generate Root Certificate

====================

openssl req -nodes -config RootCertificate.cnf -days 7305 -x509 -newkey rsa:4096 -out RootCertificate.crt -outform PEM

This command should be run once to generate the root certificate

Files created:

RootCertificate.crt : root certificate

RootCertificate.pem: root keys

 

Generate SSL certificate

====================

  1. Generate private key (use eg passphrase 1111)
    openssl genrsa -des3 -out ssl.pem 2048
  2. Remove passphrase from key
    Rename ssl.pem to ssl.pem.tmp
    openssl rsa -in ssl.pem.tmp -out ssl.pem
    delete ssl.pem.tmp
  3. Generate certificate request::
    openssl req -new -config SSLCertificate.cnf -key ssl.pem -out ssl.csr
  4. Generate certificate
    openssl.exe x509 -req -days 3652 -in ssl.csr -CA RootCertificate.crt -CAkey RootCertificate.pem -out ssl.crt

 

Save both ssl.pem file and ssl.crt file in a dedicated folder. Other files can be deleted.

The previous 4 steps can be replayed several times to generate different certificates, just change the commonName in SSLCertificate.cnf file and change the value in RootCertificate.srl.

No comments
Add comment

* - required field

*




CAPTCHA image for SPAM prevention If you can't read the word, click here.

*
*

Latest updated pages