Self-signed certificates

This topic describes how to generate a self-signed root CA, issue inherited certificates, and use them in CIS.

Self-signed certificates are generated using OpenSSL 1.1.1.

Cloverleaf only supports the RSA key type.

Preconditions are:

  • Ensure the rootca-openssl.cnf and Customer-openssl.cnf configuration files are under the current OpenSSL directory. By default, this is OpenSSL/bin.
  • Ensure there are no remaining files from the previous certs generation under the current OpenSSL directory. By default, this is OpenSSL/bin.
  • Generate a random file at first. To do this:
    OpenSSL> rand -base64 -out .rnd 100

root CA configuration file

This is a list the root CA configuration file contents. These parameters are save in the rootca-openssl.cn file.

  • RANDFILE = .rnd
  • string_mask = pkix
  • [ req ]
    • default_bits = 1024
    • default_keyfile = keyfile.pem
    • distinguished_name = req_distinguished_name
    • prompt = no
    • output_password = mypass
    • req_extensions = v3_req
  • [ req_distinguished_name ]
    • CN = rootca
    • C = US
    • L = Atlanta
    • ST = GA
    • O = ROOTCA
    • OU = Customer Support
  • [ v3_req ]
    • basicConstraints = critical, CA:true
    • keyUsage = critical, keyCertSign, cRLSign
    • nsCertType = client, sslCA

customer CA configuration file

This is a list the customer CA configuration file contents. These parameters are save in the Customer-openssl.cnf file.

  • RANDFILE = .rnd
  • string_mask = pkix
  • [ req ]
    • default_bits = 1024
    • default_keyfile = keyfile.pem
    • distinguished_name = req_distinguished_name
    • prompt = no
    • output_password = mypass
    • req_extensions = v3_req
  • [ req_distinguished_name ]
    • CN = Customer
    • C = US
    • L = Columbus
    • ST = OH
    • O = Customer
    • OU = Department
  • [ v3_req ]
    • basicConstraints = critical, CA:true
    • keyUsage = critical, keyCertSign, cRLSign
    • nsCertType = client, sslCA