From - Tue May 20 18:21:26 1997 Path: secnews.netscape.com!rls@netscape.com From: Oscar Jacobsson Newsgroups: netscape.security Subject: Re: Personal Certificates Date: Thu, 15 May 1997 14:43:36 +0100 Organization: Media Communications Eur AB (publ) Lines: 79 Message-ID: <337B1308.A0FDDFE8@medcom.se> References: <337730ED.41C6@stevens-tech.edu> Reply-To: oscar@medcom.se NNTP-Posting-Host: ns.medcom.se Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Mozilla 4.0b4 [en] (WinNT; I) To: Barney Leinberger X-Priority: 3 (Normal) Barney Leinberger wrote: > I am currently testing the Communicator package on our system and would > like to create our own certificate. We currently have SSLeay on a > server, and we just need to know how to create our own. Before I begin I would like to stress the fact that I am well aware that this isn't the fastest method. It is however probably the one easiest to follow. (Never thought I'd hear myself issuing disclaimers...) :) 1. Generation of a private key. deep_blue> ssleay genrsa -des3 -rand (random files) -out temp.key 1024 Where -des3 signifies that the key will be on disk using stored triple-DES encryption. -rand is a coon-delimited list of files with pseudo-random contents, say log files and caches etc. -out (filename) stores the private key in a file rather than piping it to the standard output. 1024 is simply the size of the private key. 2. Generation of a certificate signing request. deep_blue> ssleay req -config ssleay.cnf -new -key temp.key -out temp.csr Where -config (filename) is where you keep the policies for the CA. Basically which sections of the X.500 cert are mandatory or fixed. -new signifies that the actual request is taken from the console, rather than from an existing file or pipe. -key (filename) is a pointer to the private key created in step 1. -out (filename) is the filename of the resulting file, so we won't get our standard out all messy. 3. Signing the certificate request. deep_blue> ssleay ca -config ssleay.cnf -name temp_policy -days 365 -md sha -policy policy_temp -keyfile CA.key -cert CA.cert -in temp.csr -out temp.cert -outdir . Where -config again points to the CA's configuration file -name points to a named subset of the configuration -days is the number of days for the cert to be valid -md is a choice of hash-algorithms: md2, md5, sha or sha1 -policy specifies which policy to use for signing the cert, in effect the amount of leniency tolerated. -keyfile (filename) is the private key of the CA -cert (filename) is the certificate of the CA -in (filename) is the certificate request to sign -out (filename) is what to call the signed certificate -outdir (dirname) is where to put to signed cert (the standard ssleay CA directories are a bit of a mess IMHO) If all has gone well you'll now be the proud owner of a new cert. The fun part is getting it all into Communicator, but that's a different story entirely. :) Can anybody comment on what this "PKCS-12" format for certificate import in PR4 is? Last time I looked there were only 11 PKCS's. It doesn't seem to swallow DER- or PEM-encoded certs... //oscar