openssl req -new -x509 -keyout root_ca.key -out root_ca.crt -days 36500 -newkey rsa:4096 -sha512 -set_serial 0
touch $dir/signing/index.txt
echo 000a > $dir/signing/serial
mkdir $dir/signed
[ root_ca ]
dir = . # Where everything is kept
database = $dir/root_ca_signing/index.txt # database index file.
certificate = $dir/root_ca.crt # The CA certificate
serial = $dir/root_ca_signing/serial # The current serial number
private_key = $dir/root_ca.key # The private key
new_certs_dir = $dir/root_ca_signed
x509_extensions = ca_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 36500 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_anything # ???
[ ca_cert ]
basicConstraints=CA:TRUE, pathlen:0 # keine weiteren sub CA's
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ ca ]
default_ca = root_ca
openssl req -new -keyout sub_ca.key -newkey rsa:4096 -out sub_ca.csr
openssl ca -name root_ca -in sub_ca.csr -out sub_ca.crt -config root_ca.conf
touch $dir/signing/index.txt
echo 000a > $dir/signing/serial
mkdir $dir/signed
[ sub_ca ]
dir = . # Where everything is kept
certificate = $dir/sub_ca.crt # The CA certificate
private_key = $dir/sub_ca.key # The private key
serial = $dir/signing/serial # The current serial number
database = $dir/signing/index.txt # database index file.
new_certs_dir = $dir/signed
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# needed for subjectAltName
copy_extensions = copy
default_days = 356 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_anything
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
openssl req -new -newkey rsa:4096 -nodes -keyout certificate.key -out certificate.csr
-nodes schaltet die Encryption aus, ergo muss man kein Passwort eingeben. Das ist für Server Dienste sinnvoll.openssl req -new -keyout certificate.key -out certificate.csr -newkey rsa:4096 -nodes -config certificate.conf
[ req ]
default_bits = 4096
default_keyfile = certificate.key
distinguished_name = certificate_basis
req_extensions = certificate_ext
[ certificate_basis ]
countryName = Country Name (2 letter code)
countryName_default = DE
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default =
localityName = Locality Name (eg, city)
localityName_default =
organizationName = Organization Name (eg, company)
organizationName_default =
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = IT
commonName = Common Name (eg, YOUR name)
commonName_default =
commonName_max = 64
[ certificate_ext ]
subjectAltName = "DNS:ldap.example.net, DNS:srv1.example.net"
====== SigningRequest unterschreiben ======
Zertifikat mit Sub CA signieren
openssl ca -name sub_ca -out certificate.crt -in certificate.csr -config sub_ca.conf
den Signing Request wie gewohnt unterschreiben lassen. Sollte dabei der Fehler ...
failed to update database
TXT_DB error number 2
openssl ca -config root_ca.conf -name root_ca -revoke root_ca_signed/<serial>.pem