Create a self-signed CA server certificate
In this topic, we create a server certificate that will be used for configuring the https server.
A server certificate is a data object that is used to associate a server with its public key. Certificates are digitally signed by a Certifiate Authority (CA) to prevent them from being manipulated.
- In a production environment, the server certificate
request would be signed by a recognized third-party (that is, a CA). However, for testing
purposes our own self-signed CA server certificate is created (with the options “-S -x”)
called
testca. The private key associated withtestcawill later be used to sign the server certificate.- In example below, the validity in months is specified with options -v 48 together with a unique serial number -m 5555.
- Certificates hold trust attributes in three different categories: ssl, email, and object signing.
- The trust attributes for each category can be set using the (trust) options -t <ssl>,<email>,<object signing>.
- The CA in this example has trust settings CTu,CTu,CTu (where C means “trusted CA for client authentication”, T means “trusted CA”, and u means “user”).
- Certificate extensions indicate how a certificate should be used. If an application does not recognize the extensions marked as critical, the certificate must not be accepted. Non-critical extensions may be ignored if they are not recognized but must be processed if recognized. In this example, you specify the options -1 (keyUsage), -2 (basic constraint extension) and -5 (nsCertType ). You are prompted to select the appropriate extensions for our CA, as shown in the example below.
# certutil -S -d /etc/httpd/nss -n testca -s "CN=Certificate Shack, O=example.com, C=US" -x -t CTu,CTu,CTu -g 2048 -m 5555 -v 48 -h myicatoken -1 -2 -5 Enter Password or Pin for "myicatoken": 25345867 ... Continue typing until the progress meter is full: |************************************************************| Finished. Press enter to continue: Generating key. This may take a few moments... - Select option 5 (Cert signing key) as shown
below:
0 - Digital Signature 1 - Non-repudiation 2 - Key encipherment 3 - Data encipherment 4 - Key agreement 5 - Cert signing key 6 - CRL signing key Other to finish > 5
- Select option 9 (Other to finish) as shown
below:
0 - Digital Signature 1 - Non-repudiation 2 - Key encipherment 3 - Data encipherment 4 - Key agreement 5 - Cert signing key 6 - CRL signing key Other to finish > 9
- Select the options n, y, and y as
shown
below:
Is this a critical extension [y/N]? n Is this a CA certificate [y/N]? y Enter the path length constraint, enter to skip [<0 for unlimited path]: > 10 Is this a critical extension [y/N]? y
- Select option 5 (SSL CA) as shown
below:
0 - SSL Client 1 - SSL Server 2 - S/MIME 3 - Object Signing 4 - Reserved for future use 5 - SSL CA 6 - S/MIME CA 7 - Object Signing CA Other to finish > 5
- Select option 6 (S/MIME CA) as shown
below:
0 - SSL Client 1 - SSL Server 2 - S/MIME 3 - Object Signing 4 - Reserved for future use 5 - SSL CA 6 - S/MIME CA 7 - Object Signing CA Other to finish > 6
- Select option 7 (Object Signing CA) as shown
below:
0 - SSL Client 1 - SSL Server 2 - S/MIME 3 - Object Signing 4 - Reserved for future use 5 - SSL CA 6 - S/MIME CA 7 - Object Signing CA Other to finish > 7
- Select option 9 (Other to finish) as shown
below:
0 - SSL Client 1 - SSL Server 2 - S/MIME 3 - Object Signing 4 - Reserved for future use 5 - SSL CA 6 - S/MIME CA 7 - Object Signing CA Other to finish > 9
- Select option n as shown
below:
Is this a critical extension [y/N] n Notice: Trust flag u is set automatically if the private key is present.