Becoming A Private Ca - Colubris Networks CN3000 Administrator's Manual

Chapter 10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SSL certificates - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 10
Becoming a This procedure enables you to sign your web server certificates using your own private
key. Users who trust you will be able to trust the certificates you have signed, providing
private CA
that they have your public key certificate.
Note: This section demonstrates how to create the equivalent of the noc-ca.crt
certificate described in the section
Creating the CA certificates
You will be asked for a password to protect the new private key, which will be the private
key for your own Certificate Authority.
Important: This password will be required when signing subsequent certificates.
Ideally, the private key should be handled as one of your corporate secrets and should
be in a safe location accessible to the person responsible for signing the certificates.
For the purposes of this example:
• the certificate will be requested for the domain name: CompanyCA
• the secret password used to protect the key is CA_key_password
1. Open a Windows command-line session.
2. Go to the directory where you installed the certificate tools. This example assumes
3. Execute the command: newca CompanyCA
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 199 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
c:\certificates.
C:\certificates\DemoCA>newca CompanyCA
You will be asked for a password protecting your
Certificate Authority Private Key
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.........++++++
..++++++
writing new private key to 'CA\private\CAkey.pem'
Enter PEM pass phrase: CA_key_password
Verifying password - Enter PEM pass phrase: CA_key_password
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CA]:
State or Province Name (full name) [Quebec]:
Locality Name (eg, city) [Laval]:
Organization Name (eg, company) [Colubris Networks Inc.]:Company Inc.
Organizational Unit Name (eg, section) [Research & Development]:Department
Your Name []:Test-Only Certificate Authority
Email Address [support@colubris.com]:ca@company.com
The certificate for your CA will then be displayed.
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=CA, ST=Quebec, L=Laval, O=Company Inc., OU=Department,
CN=Test
-Only Certificate Authority/Email=ca@company.com
Validity
Not Before: Feb 27 21:46:40 2002 GMT
Not After : Feb 27 21:46:40 2003 GMT
Subject: C=CA, ST=Quebec, L=Laval, O=Company Inc., OU=Department,
CN=Tes
t-Only Certificate Authority/Email=ca@company.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c5:b8:ff:2b:82:cf:93:39:eb:90:ff:fe:21:a0:
de:d4:38:0c:ae:08:f3:dc:d5:52:59:80:9d:72:5a:
9b:2d:cf:22:e3:84:c9:f7:e1:99:67:7b:08:74:71:
"Test the NOC authentication feature" on page 323
.