Making SSL Certificates and Keys

This involves utilities provided on the OpenSSL web site at https://www.openssl.org/ in Binary Distributions.

  1. Download and extract the file on the chosen platform.

  2. Add a folder "certs".

  3. Add the following files:

    • .rand (contains about 20 lines of garbage data / hit the keyboard)

    • serial (contains the first serial number of new certs, example 1000)

    • index.txt (empty)

  4. Edit the genca.cnf keywords with the following values: 

    [ CA_default ]

dir                 = .                 # Where everything is kept
certs               = $dir/certs        # Where the issued certs are kept

certificate         = $certs/WCPcacert.pem   # The CA certificate
serial              = $dir/serial.TXT        # The current serial number
crl                 = $certs/WCPCrl.pem        # The current CRL
private_key         = $certs/WCPCaKey.pem # The private key
RANDFILE            = $dir/.rnd           # private random number file

[ req_distinguished_name ]
countryName                    = Country Name (2 letter code)   #Prompt
countryName_default            = DE

stateOrProvinceName            = State or Province      #Prompt
stateOrProvinceName_default    = 

localityName                   = City or Town   #Prompt
localityName_default           = Darmstadt

0.organizationName             = Organizational Name (eg, company)  #Prompt
0.organizationName_default     = Software AG

organizationalUnitName         = Organization unit (group or department) #Prompt
organizationalUnitName_default = Network

    Notes:

    1. The countryName_default is your country (DE is for Germany, US - United States etc...).
    2. Change the defaults above as necessary.

    Setting the defaults saves typing later.

  5. Make Selfsigned CA Key:

    openssl req -config genca.cnf -newkey rsa:2048 -x509 -keyout WCPcakey.pem -out WCPcacert.pem -days 365

    Reply:

     Enter PEM pass phrase: <your_password>
    ... confirm ....
   Country Name  : 
   State         : 
   City          : 
   Organ. Name   : 
   Organ. Unit   : 
   Common Name   : <DefaultCA_name>
   Email Addr.   :

    The other fields are set in genca.cnf.

  6. Make application certificate & request:

    openssl req -config genca.cnf -newkey rsa:2048 -out WcpAppCertReq.pem -keyout WcpAppKey.pem -days 365

    Reply:

    Enter PEM pass phrase: <your_password>
   ... confirm ....
   Country Name  : 
   State         : 
   City          : 
   Organ. Name   : 
   Organ. Unit   : 
   Common Name   : <localhost_name>
   Email Addr.   : 
   ...extra attributes:  <leave empty>

    The other fields are set in genca.cnf.

  7. Sign the app cert req:

    openssl ca -config genca.cnf -policy policy_anything -out WcpAppCert.pem -infiles WcpAppCertReq.pem

    Reply:

       Entr pass phrase..: <your_password>
   Sign the cert?    : y
   commit?           : y

  8. Password file

    Make a file containing the password with a null character at the end.

  9. At this point, the folder certs should contain: 

    WCPAppCert.pem
    WCPAppKey.pem
    WCPCACert.pem
    WCPCAKey.pem
    <random_file>
    <passwored_file>

    Note:
    Make sure that the files contain DOS <CR><LF> at the end of each line.