{"id":1443,"date":"2021-04-20T07:27:49","date_gmt":"2021-04-19T19:27:49","guid":{"rendered":"https:\/\/www.ronella.xyz\/?p=1443"},"modified":"2021-04-20T07:27:49","modified_gmt":"2021-04-19T19:27:49","slug":"private-certification-authority-ca","status":"publish","type":"post","link":"https:\/\/www.ronella.xyz\/?p=1443","title":{"rendered":"Private Certification Authority (CA)"},"content":{"rendered":"

Create the private key and certificate pair.<\/h2>\n
    \n
  1. \n

    Download OpenSSL<\/strong> binaries from the following link if you are using windows:<\/p>\n

    https:\/\/slproweb.com\/products\/Win32OpenSSL.html<\/a><\/p>\n<\/li>\n

  2. \n

    Create a ca.cnf<\/strong> file using the following template:<\/p>\n

    [ req ]\ndefault_bits        = 2048\ndefault_keyfile     = private.pem\ndistinguished_name  = subject\nreq_extensions      = req_ext\nx509_extensions     = x509_ext\nstring_mask         = utf8only\n\n# The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description).\n#   Its sort of a mashup. For example, RFC 4514 does not provide emailAddress.\n[ subject ]\ncountryName         = Country Name (2 letter code)\ncountryName_default     = <2_LETTER_COUNTRY_CODE>\n\nstateOrProvinceName     = State or Province Name (full name)\nstateOrProvinceName_default = <STATE_NAME>\n\nlocalityName            = Locality Name (eg, city)\nlocalityName_default        = <CITY_NAME>\n\norganizationName         = Organization Name (eg, company)\norganizationName_default    = <ORGANIZATION_NAME>\n\norganizationalUnitName         = Organizational Unit (eg, section)\norganizationalUnitName_default = <ORGANIZATIONAL_UNIT>\n\n# Use a friendly name here because it's presented to the user. The server's DNS\n#   names are placed in Subject Alternate Names. Plus, DNS names here is deprecated\n#   by both IETF and CA\/Browser Forums. If you place a DNS name here, then you\n#   must include the DNS name in the SAN too (otherwise, Chrome and others that\n#   strictly follow the CA\/Browser Baseline Requirements will fail).\ncommonName          = Common Name (e.g. server FQDN or YOUR name)\ncommonName_default      = <YOUR_NAME>\n\nemailAddress            = Email Address\nemailAddress_default        = <YOUR_EMAIL_ADDR>\n\n# Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...\n[ x509_ext ]\n\nsubjectKeyIdentifier        = hash\nauthorityKeyIdentifier    = keyid,issuer\n\nbasicConstraints        = CA:TRUE\nkeyUsage            = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyCertSign, cRLSign\nnsComment           = \"Private CA\"\n\n# Section req_ext is used when generating a certificate signing request. I.e., openssl req ...\n[ req_ext ]\n\nsubjectKeyIdentifier        = hash\n\nbasicConstraints        = CA:true\nkeyUsage            = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyCertSign, cRLSign\nnsComment           = \"Private CA\"<\/code><\/pre>\n
    Replace the following fields on the template:<\/p>\n\n\n\n\n\n\n\n\n\n\n\n
    Field Name<\/th>\nDescription<\/th>\n<\/tr>\n<\/thead>\n
    2_LETTER_COUNTRY_CODE<\/td>\nThe two letter code of your country.<\/td>\n<\/tr>\n
    STATE_NAME<\/td>\nThe name of your state.<\/td>\n<\/tr>\n
    CITY_NAME<\/td>\nThe name of your city.<\/td>\n<\/tr>\n
    ORGANIZATION_NAME<\/td>\nThe name of your organization.<\/td>\n<\/tr>\n
    ORGANIZATIONAL_UNIT<\/td>\nThe name of your section in the organization.<\/td>\n<\/tr>\n
    YOUR_NAME<\/td>\nYour full name or anything that represents you as a CA.<\/td>\n<\/tr>\n
    YOUR_EMAIL_ADDR<\/td>\nYour email address.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
    Example:<\/p>\n
    [ req ]\ndefault_bits        = 2048\ndefault_keyfile     = private.pem\ndistinguished_name  = subject\nreq_extensions      = req_ext\nx509_extensions     = x509_ext\nstring_mask         = utf8only\n\n# The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description).\n#   Its sort of a mashup. For example, RFC 4514 does not provide emailAddress.\n[ subject ]\ncountryName         = Country Name (2 letter code)\ncountryName_default     = NZ\n\nstateOrProvinceName     = State or Province Name (full name)\nstateOrProvinceName_default = Wellington\n\nlocalityName            = Locality Name (eg, city)\nlocalityName_default        = Wellington\n\norganizationName         = Organization Name (eg, company)\norganizationName_default    = My Company\n\norganizationalUnitName         = Organizational Unit (eg, section)\norganizationalUnitName_default = IT Department\n\n# Use a friendly name here because it's presented to the user. The server's DNS\n#   names are placed in Subject Alternate Names. Plus, DNS names here is deprecated\n#   by both IETF and CA\/Browser Forums. If you place a DNS name here, then you\n#   must include the DNS name in the SAN too (otherwise, Chrome and others that\n#   strictly follow the CA\/Browser Baseline Requirements will fail).\ncommonName          = Common Name (e.g. server FQDN or YOUR name)\ncommonName_default      = Ronaldo Webb CA APR 2021\n\nemailAddress            = Email Address\nemailAddress_default        = ron@ronella.xyz\n\n# Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...\n[ x509_ext ]\n\nsubjectKeyIdentifier        = hash\nauthorityKeyIdentifier    = keyid,issuer\n\nbasicConstraints        = CA:TRUE\nkeyUsage            = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyCertSign, cRLSign\nnsComment           = \"Private CA\"\n\n# Section req_ext is used when generating a certificate signing request. I.e., openssl req ...\n[ req_ext ]\n\nsubjectKeyIdentifier        = hash\n\nbasicConstraints        = CA:true\nkeyUsage            = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyCertSign, cRLSign\nnsComment           = \"Private CA\"<\/code><\/pre>\n<\/li>\n
  3. \n
    Generate a private key<\/strong> using the following command:<\/p>\n
    openssl genrsa -out ca.key.pem 2048<\/code><\/pre>\n<\/li>\n
  4. \n
    Generate a certificate<\/strong> with a validity of 10 years<\/strong> from the private key using the following command:<\/p>\n
    openssl req -x509 -sha256 -new -nodes -key ca.key.pem -days 3650 -out ca.cert.crt -config ca.cnf<\/code><\/pre>\n<\/li>\n<\/ol>\n
    Viewing the generated certificate<\/h2>\n
      \n
    1. \n
      View the generated certificate using the following command:<\/p>\n
      openssl x509 -in ca.cert.crt -text<\/code><\/pre>\n<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"
      Create the private key and certificate pair. Download OpenSSL binaries from the following link if you are using windows: https:\/\/slproweb.com\/products\/Win32OpenSSL.html Create a ca.cnf file using the following template: [ req ] default_bits = 2048 default_keyfile = private.pem distinguished_name = subject req_extensions = req_ext x509_extensions = x509_ext string_mask = utf8only # The Subject DN can be […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[23],"tags":[],"_links":{"self":[{"href":"https:\/\/www.ronella.xyz\/index.php?rest_route=\/wp\/v2\/posts\/1443"}],"collection":[{"href":"https:\/\/www.ronella.xyz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ronella.xyz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ronella.xyz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ronella.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1443"}],"version-history":[{"count":1,"href":"https:\/\/www.ronella.xyz\/index.php?rest_route=\/wp\/v2\/posts\/1443\/revisions"}],"predecessor-version":[{"id":1444,"href":"https:\/\/www.ronella.xyz\/index.php?rest_route=\/wp\/v2\/posts\/1443\/revisions\/1444"}],"wp:attachment":[{"href":"https:\/\/www.ronella.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1443"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ronella.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1443"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ronella.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1443"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}