Making SSL Certificates and Keys

This involves utilities provided on the OpenSSL web site at https://www.openssl.org/ in Binary Distributions.

  1. Download and extract the file on the chosen platform.

  2. Add a folder "certs".

  3. Add the following files:

    • .rand (contains about 20 lines of garbage data / hit the keyboard)

    • serial (contains the first serial number of new certs, example 1000)

    • index.txt (empty)

  4. Edit the genca.cnf keywords with the following values:

    [ CA_default ]
    
    dir                 = .                 # Where everything is kept
    certs               = $dir/certs        # Where the issued certs are kept
    
    certificate         = $certs/WCPcacert.pem   # The CA certificate
    serial              = $dir/serial.TXT        # The current serial number
    crl                 = $certs/WCPCrl.pem        # The current CRL
    private_key         = $certs/WCPCaKey.pem # The private key
    RANDFILE            = $dir/.rnd           # private random number file
    
    [ req_distinguished_name ]
    countryName                    = Country Name (2 letter code)   #Prompt
    countryName_default            = DE
    
    stateOrProvinceName            = State or Province      #Prompt
    stateOrProvinceName_default    = 
    
    localityName                   = City or Town   #Prompt
    localityName_default           = Darmstadt
    
    0.organizationName             = Organizational Name (eg, company)  #Prompt
    0.organizationName_default     = Software AG
    
    organizationalUnitName         = Organization unit (group or department) #Prompt
    organizationalUnitName_default = Network

    Notes:

    1. The countryName_default is your country (DE is for Germany, US - United States etc...).
    2. Change the defaults above as necessary.

    Setting the defaults saves typing later.

  5. Make Selfsigned CA Key:

    openssl req -config genca.cnf -newkey rsa:2048 -x509 -keyout WCPcakey.pem -out WCPcacert.pem -days 365

    Reply:

     Enter PEM pass phrase: <your_password>
        ... confirm ....
       Country Name  : 
       State         : 
       City          : 
       Organ. Name   : 
       Organ. Unit   : 
       Common Name   : <DefaultCA_name>
       Email Addr.   :

    The other fields are set in genca.cnf.

  6. Make application certificate & request:

    openssl req -config genca.cnf -newkey rsa:2048 -out WcpAppCertReq.pem -keyout WcpAppKey.pem -days 365

    Reply:

    Enter PEM pass phrase: <your_password>
       ... confirm ....
       Country Name  : 
       State         : 
       City          : 
       Organ. Name   : 
       Organ. Unit   : 
       Common Name   : <localhost_name>
       Email Addr.   : 
       ...extra attributes:  <leave empty>

    The other fields are set in genca.cnf.

  7. Sign the app cert req:

    openssl ca -config genca.cnf -policy policy_anything -out WcpAppCert.pem -infiles WcpAppCertReq.pem

    Reply:

       Entr pass phrase..: <your_password>
       Sign the cert?    : y
       commit?           : y
  8. Password file

    Make a file containing the password with a null character at the end.

  9. At this point, the folder certs should contain:

    WCPAppCert.pem
        WCPAppKey.pem
        WCPCACert.pem
        WCPCAKey.pem
        <random_file>
        <passwored_file>

    Note:
    Make sure that the files contain DOS <CR><LF> at the end of each line.