Creating private keys and certificates

About this task

The following steps explain how to create one key and one certificate. You can decide to use one key and certificate pair for the entire network, one for each domain, or one for each workstation. The steps below assume that you will be creating a key and certificate pair for each workstation and thus the name of the output files created during the process has been generalized to workstationname.

On each workstation, perform the following steps to create a private key and a certificate:
  1. Enter the following command from the SSL directory to initialize the pseudo random number generator, otherwise subsequent commands might not work.
    • On Windows operating systems:
      $ openssl rand -out workstationname.rnd -rand ./openssl.exe 8192
    • On UNIX and Linux operating systems :
      $ openssl rand -out workstationname.rnd -rand ./openssl 8192
  2. Enter the following command to create the private key (this example shows triple-DES encryption):
    $ openssl genrsa -des3 -out workstationname.key 2048
    Then, save the password that was requested to encrypt the key in a file named workstationname.pwd.
    Note: Verify that file workstationname.pwd contains just the characters in the password. For instance, if you specified the word maestro as the password, your workstationname.pwd file should not contain any CR or LF characters at the end (it should be 7 bytes long).
  3. Create stash file, you can choose to create a stash file or encrypt you password file:
    stash file
    Enter the following command to save your password, encoding it in base64 into the appropriate stash file:
    $ openssl base64 -in workstationname.pwd -out workstationname.sth

    You can then delete file workstationname.pwd.

    encrypted password file
    Run the following command to save your encrypted password, encoding it in base64:
    $ conman crypt workstationname.pwd

    Example: If you have the workstationname.pwd that contains the string secreat that is the password you set, after you run the $ conman crypt workstationname.pwd, your workstationname.pwd file contains the string {3DES}poh56FeTy+=/jhtf2djur that is the encrypted password.

  4. Enter the following command to create a certificate signing request (CSR):
    $ openssl req -new -key workstationname.key -out workstationname.csr
       -config ./openssl.cnf

    Some values-such as company name, personal name, and more- will be requested at screen. For future compatibility, you might specify the workstation name as the distinguished name.

  5. Send the workstationname.csr file to your CA in order to get the matching certificate for this private key.
    Using its private key (TWSca.key) and certificate (TWSca.crt), the CA will sign the CSR (workstationname.csr) and create a signed certificate (workstationname.crt) with the following command:
    $ openssl x509 -req -CA TWSca.crt -CAkey TWSca.key -days 365
       -in workstationname.csr   -out workstationname.crt -CAcreateserial
  6. Distribute to the workstation the new certificate workstationname.crt and the public CA certificate TWSca.crt.
The table below summarizes which of the files created during the process have to be set as values for the workstation's local options.
Table 1. Files for Local Options
Local option File
SSL key workstationname.key
SSL certificate workstationname.crt
SSL key pwd workstationname.sth
SSL ca certificate TWSca.crt
SSL random seed workstationname.rnd