2007-12-05

Quick CA test

In case...

  • You are testing your new certificate handling utility, which is about to save the world soon.
  • You want to generate new certificate `MyRootCert.pem`, install it as trusted root and sign another certificate `MyCert.pem` with it to get `MySignedCert.pem`
  • You like dirty barbarian solutions which are simple enough to just work.
  • And you use OpenSSL on Linux machine.


Here is what you do:

cd /etc/ssl/certs # or wherever the system store is

# Create certificate and private key
sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout MyRootCertKey.pem \
-out MyRootCert.pem

# MAGIC: serial number, will be overwritten after signing other certificate
sudo echo "02" > MyRootCert.srl

# Create symlink
sudo ln -s MyRootCert.pem `openssl x509 -subject_hash -in MyRootCert.pem -noout`.0

# Keeping unencrypted private key together with the trusted certificate
# seems to be a big no-no. Done for testing only.
cd ~/test # or wherever you keep the certificate

# Sign certificate
sudo openssl x509 -in MyCert.pem -CA /etc/ssl/certs/MyRootCert.pem \
-CAkey /etc/ssl/certs/MyRootCertKey.pem -out MySignedCert.pem


Do not forget to remove created horror when testing period is finished. Read OpenSSL doc. And maybe use PERL scripts.

No comments: