Example: How To Generate Ssl Certificates Using Openssl - HP NonStop SSL Reference Manual

Example: How to Generate SSL Certificates Using OpenSSL

This example shows how to create a self-signed CA certificate and a server certificate signed by the CA certificate, and
how to convert the certificates into the format used by HP NonStop SSL, as well as setting the appropriate configuration
parameters. The example also shows how to create a signing request to be submitted to a Certification Authority (CA).
Many customers require server certificates to be signed by a trusted CA (e.g. Verisign, Thawte, etc). Some customers
also purchase an intermediate CA certificate from a trusted CA so they can sign/issue their own corporate server
certificates with the intermediate CA certificate purchased from a trusted CA. Note that generating self-signed
certificates or certificates signed by an OpenSSL self-generated CA (as in the example) may not be appropriate for a
customer's security environment. Customers should only use this procedure if their security environment allows
generating their own CA certificate and server certificates, otherwise they should consult their security department for
recommended actions to obtain SSL certificates.
When submitting a signing request to a trusted CA authority, the steps for generating a CA certificate are skipped, and all
steps from "To Generate the Server Certificate" are executed except steps (4) and (5). The signing request (CSR) is sent
to the CA, and the signed server certificate and the root certificate are returned. If the certificates are returned in PEM
format, they must be converted to DER format.
To Prepare for Certificate Generation
1. Obtain a copy of OpenSSL. For Unix/Linux systems, build it from source code or obtain it via your package
manager. For Windows-based systems, it is best to install the prebuilt OpenSSL for Windows binaries, see
http://www.openssl.org/related/binaries.html. In this example, OpenSSL version 1.0.0e (6 Sep 2011) for
Windows was used. The commands shown apply for Unix/Linux systems as well.
2. Create a directory OpenSSL_certificates, and within it directories "ca", "server", and "newcerts".
3. All OpenSSL commands shown in this example except the genrsa command require a configuration file. By
default, a file named openssl.cfg is expected in the directory where the OpenSSL binary resides. A different
filename and location can be specified with the -config option. Windows OpenSSL implementations usually
include a configuration file, but if not, an example can be easily obtained by searching the Internet for
"openssl.cfg example". Note that for OpenSSL versions 0.9.8g and lower the default config file name is
"openssl.cnf". Save the config file example and edit a copy of it as desired. In this certificate generation
example, the "dir" statement in the config file was set to "./" (current directory "OpenSSL_certificates"). For
convenience, the countryName_default was set to "US", stateOrProvinceName_default to "California",
0.organizationName_default to "comForte Inc", and organizationalUnitName_default to "Development" in
section [req_distinguished_name].
To Generate the CA Certificate
(Skip this if an external CA is used)
1. Generate the private key for a root CA. Give a pass phrase when prompted. The key is used later during the
signing process.
SSL encryption is based on public key cryptography and always uses a pair of keys: the private key (generated
in this step) and the public key encapsulated in the certificate (see next step). The following command will
generate a 4096 bit RSA key which will be encrypted with the AES256 algorithm. The file generated is
"cakey.pem" where the extension "pem" indicates PEM formatting.
openssl genrsa -aes256 -out ca\cakey.pem 4096
2. Create the internal root CA. Enter the pass phrase from (1) and supply Country Name, State or Province Name,
Locality Name, Organization Name, Organizational Unit Name, Common Name, and Email Address. Defaults
can be specified in the config file (as in the example). The following command generates the root certicate
"cacert.pem" in PEM format, and will contain the public key. The certificate is valid for 365 days.
openssl req -out ca\cacert.pem -new -key ca\cakey.pem -x509 -days 365
HP NonStop SSL Reference Manual
SSL Reference • 103