Generating an RSA key customer certificate
To generate a customer certificate request and sign it with the root CA:
-
Generate a key pair for the customer CA with the key size 2048:
OpenSSL> genrsa -out Customer-keypair.pem 2048
-
Generate the Customer cert request with the Customer-openssl.cnf config file:
OpenSSL> req -config Customer-openssl.cnf -key Customer-keypair.pem -new -out Customer-req.pem
-
Sign the certificate request with the root CA. The signature
digest is
sha512
OpenSSL> x509 -req -in Customer-req.pem -out Customer-cert.pem -extfile Customer-openssl.cnf -extensions v3_req -CA rootca-cert.pem -CAkey rootca-keypair.pem -CAcreateserial -days 365 -sha512
-
Convert the Customer cert format from PEM to DER:
OpenSSL> x509 -inform PEM -in Customer-cert.pem -outform DER -out Customer-cert.der
-
Encrypt the Customer private key and convert its format from
PEM to DER:
OpenSSL> pkcs8 -topk8 -inform PEM -in Customer-keypair.pem -outform DER -out enc-Customer-key.der -passout pass:111111Aa -v1 PBES2 -v2prf hmacWithSHA512 -iter 4096