Self-signed certificates
This topic describes how to generate a self-signed root CA, issue inherited certificates, and use them in CIS.
Self-signed certificates are generated using OpenSSL 1.1.1.
Cloverleaf only supports the RSA key type.
Preconditions are:
- Ensure the rootca-openssl.cnf and Customer-openssl.cnf configuration files are under the current OpenSSL directory. By default, this is OpenSSL/bin.
- Ensure there are no remaining files from the previous certs generation under the current OpenSSL directory. By default, this is OpenSSL/bin.
- Generate a random file at first. To do
this:
OpenSSL> rand -base64 -out .rnd 100
root CA configuration file
This is a list the root CA configuration file contents. These parameters are save in the rootca-openssl.cn file.
- RANDFILE = .rnd
- string_mask = pkix
- [ req ]
- default_bits = 1024
- default_keyfile = keyfile.pem
- distinguished_name = req_distinguished_name
- prompt = no
- output_password = mypass
- req_extensions = v3_req
- [ req_distinguished_name ]
- CN = rootca
- C = US
- L = Atlanta
- ST = GA
- O = ROOTCA
- OU = Customer Support
- [ v3_req ]
- basicConstraints = critical, CA:true
- keyUsage = critical, keyCertSign, cRLSign
- nsCertType = client, sslCA
customer CA configuration file
This is a list the customer CA configuration file contents. These parameters are save in the Customer-openssl.cnf file.
- RANDFILE = .rnd
- string_mask = pkix
- [ req ]
- default_bits = 1024
- default_keyfile = keyfile.pem
- distinguished_name = req_distinguished_name
- prompt = no
- output_password = mypass
- req_extensions = v3_req
- [ req_distinguished_name ]
- CN = Customer
- C = US
- L = Columbus
- ST = OH
- O = Customer
- OU = Department
- [ v3_req ]
- basicConstraints = critical, CA:true
- keyUsage = critical, keyCertSign, cRLSign
- nsCertType = client, sslCA