Creating OpenSSL certificates for GREP11 Servers

• Ensure that you install the OpenSSL utility on a workstation that you can use to generate the certificates.

Complete the following steps on your workstation with root user authority.

1. Generate the CA key by running the following command.

   openssl genrsa -out grep11-ca.key 2048
   

2. Create the CA certificate by running the following command.

   openssl req -new -x509 -key grep11-ca.key -days 730 -out grep11-ca.pem
   

3. Generate the Server key by running the following command.

   openssl genrsa -out grep11-server.key 2048
   

4. Export the COMMON_NAME (fully qualified domain name), path length, and Subject Alternative Name (to indicate all of the domain names and IP addresses that are secured by the certificate) by running the following commands. These values will be used to generate the server certificate.

   export COMMON_NAME=grep11.example.com
   export PATHLEN=CA:true
   export SUBJECT_ALT_NAME=DNS:<domain-name:port>,IP:<ip>
   e.g. export SUBJECT_ALT_NAME=DNS:grep11.example.com:9876,IP:10.20.6.62
   

5. Create the openssl.cnf file and copy the content given below.

   # OpenSSL configuration file.
   #
   
   # Establish working directory.
   
   dir   = .
   
   [ ca ]
   default_ca  = CA_default
   
   [ CA_default ]
   serial   = $dir/serial
   #database  = ${ENV::DIR}/index.txt
   #new_certs_dir  = $dir/newcerts
   #private_key       = $dir/grep11-ca.key
   #certificate       = $dir/grep11-ca.cer
   default_days  = 730
   default_md  = sha256
   preserve  = no
   email_in_dn  = no
   nameopt   = default_ca
   certopt   = default_ca
   default_crl_days = 45
   policy   = policy_match
   
   [ policy_match ]
   countryName  = match
   stateOrProvinceName = optional
   organizationName = match
   organizationalUnitName = optional
   commonName  = supplied
   emailAddress  = optional
   
   [ req ]
   default_md  = sha256
   distinguished_name = req_distinguished_name
   prompt             = yes
   
   [ req_distinguished_name ]
   #countryName = Country
   #countryName_default = US
   #countryName_min = 2
   #countryName_max = 2
   #localityName = Locality
   #localityName_default = Los Angeles
   #organizationName = Organization
   #organizationName_default = IBM
   #commonName = Common Name
   #commonName_max = 64
   
   C  = US
   ST = California
   L  = Los Angeles
   O  = IBM
   CN = ${ENV::COMMON_NAME}
   
   [ certauth ]
   subjectKeyIdentifier = hash
   authorityKeyIdentifier = keyid:always,issuer:always
   keyUsage = digitalSignature, keyEncipherment, dataEncipherment, keyCertSign, cRLSign
   keyUsage = digitalSignature, keyEncipherment, dataEncipherment, keyCertSign, cRLSign
   basicConstraints = ${ENV::PATHLEN}
   #crlDistributionPoints = @crl
   
   [ server ]
   basicConstraints = CA:FALSE
   keyUsage = digitalSignature, keyEncipherment, dataEncipherment
   extendedKeyUsage = serverAuth
   nsCertType = server
   crlDistributionPoints = @crl
   subjectAltName = ${ENV::SUBJECT_ALT_NAME}
   
   [ client ]
   basicConstraints = CA:FALSE
   keyUsage = digitalSignature, keyEncipherment, dataEncipherment
   extendedKeyUsage = clientAuth,msSmartcardLogin
   nsCertType = client
   crlDistributionPoints = @crl
   authorityInfoAccess = @ocsp_section
   subjectAltName = @alt_names
   
   [ selfSignedServer ]
   subjectKeyIdentifier = hash
   authorityKeyIdentifier = keyid:always,issuer:always
   keyUsage = digitalSignature, keyEncipherment, dataEncipherment
   basicConstraints = CA:FALSE
   subjectAltName = ${ENV::SUBJECT_ALT_NAME}
   extendedKeyUsage = serverAuth
   
   [ selfSignedClient ]
   subjectKeyIdentifier = hash
   authorityKeyIdentifier = keyid:always,issuer:always
   keyUsage = digitalSignature, keyEncipherment, dataEncipherment
   basicConstraints = CA:FALSE
   subjectAltName = @alt_names
   extendedKeyUsage = clientAuth
   
   [ server_client ]
   subjectKeyIdentifier = hash
   keyUsage = digitalSignature, keyEncipherment, dataEncipherment
   basicConstraints = CA:FALSE
   subjectAltName = ${ENV::SUBJECT_ALT_NAME}
   crlDistributionPoints = @crl
   extendedKeyUsage = serverAuth,clientAuth
   
   [ v3_intermediate_ca ]
   # Extensions for a typical intermediate CA (`man x509v3_config`).
   subjectKeyIdentifier = hash
   authorityKeyIdentifier = keyid:always,issuer
   basicConstraints = critical, ${ENV::PATHLEN}
   keyUsage = critical, digitalSignature, cRLSign, keyCertSign
   crlDistributionPoints = @crl
   authorityInfoAccess = @ocsp_section
   
   [ crl ]
   URI=http://localhost/ca.crl
   
   [ ocsp_section ]
   OCSP;URI.0 = http://localhost:2560/ocsp
   
   [ ocsp ]
   # Extension for OCSP signing certificates (`man ocsp`).
   basicConstraints = CA:FALSE
   subjectKeyIdentifier = hash
   authorityKeyIdentifier = keyid,issuer
   keyUsage = critical, digitalSignature
   extendedKeyUsage = critical, OCSPSigning
   
   [alt_names]
   # email= ${ENV::SUBJECT_ALT_NAME}
   otherName=msUPN;UTF8:${ENV::SUBJECT_ALT_NAME}
   
   [v3_conf]
   keyUsage = digitalSignature, keyEncipherment, dataEncipherment, keyCertSign, cRLSign
   basicConstraints = CA:FALSE
   

6. Create the server certificate signing request by running the following command.

   openssl req -new -key grep11-server.key -out grep11-server.csr
   

7. Create the server certificate by running the following command.

   openssl x509 -sha256 -req -in grep11-server.csr -CA grep11-ca.pem -CAkey grep11-ca.key -set_serial 8086 -extfile openssl.cnf -extensions server -days 730 -outform PEM -out grep11-server.pem
   

8. Create the client key by running the following command.

   openssl genrsa -out grep11-client.key 2048
   

9. Create the client certificate signing request by running the following command.

   openssl req -new -key grep11-client.key -out grep11-client.csr
   

10. Create the client certificate by running the following command.

    openssl x509 -req -days 730 -in grep11-client.csr -CA grep11-ca.pem -CAcreateserial -CAkey grep11-ca.key -out grep11-client.pem