Generate a 2048 bits private key.
$ openssl genrsa -des3 -out private.key 2048
Generate the CSR with the newly created private key with a SHA-2 hash. Compatiblity about the SHA-2 hash can be read here.
$ openssl req -sha256 -new -key private.key -out cert.csr
Create a file which holds the public and private key (password protected).
1) Make a pem file with all upstream trusted Intermediate's and Root CA in it
2) Use OpenSSL to generate the pkcs12 with the newly pem file included
Step 1: Use an advanced text editor (I use Notepad++) to copy the chain into 1 pem file. Copy first the Intermediate CA in it, and directly after that the Root CA. Save the file. I saved the file as trusted_chain.pem.
Step 2: Use the following OpenSSL command to generate the pksc12 file with the whole chain in it:
$ openssl pkcs12 –export –inkey private.key –in signed-csr.cer –out cert.p12check the CSR:
$ openssl req -text -noout -in csr.reqGenerate a self-signed certificate with a lifetime of 1 year:
$ openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout my_key.pem -out my_cert.pemWhen you want to make a PFX file, and you want to include the whole trusted CA chain in it, you can do this with the following steps:
1) Make a pem file with all upstream trusted Intermediate's and Root CA in it
2) Use OpenSSL to generate the pkcs12 with the newly pem file included
Step 1: Use an advanced text editor (I use Notepad++) to copy the chain into 1 pem file. Copy first the Intermediate CA in it, and directly after that the Root CA. Save the file. I saved the file as trusted_chain.pem.
Step 2: Use the following OpenSSL command to generate the pksc12 file with the whole chain in it:
$ openssl pkcs12 -export -out incl_chain.pfx -in certificate.pem -certfile trusted_chain.pemIn this example, the private key is included in certificate.pem.
Geen opmerkingen:
Een reactie posten