The following is an example how to create a public-private key pair using OpenSSL.
The CA certificate must contain the extensions:CA:TRUEbasic constraints, digital signature and key certificate sign key usages.
Create a configuration file with the required CA extensions. This can usually be derived from
`/etc/ssl/openssl.cnf`
.cp /etc/ssl/openssl.cnf ca.cnf echo "\n[ v3_ca ]\nbasicConstraints = critical, CA:TRUE\nkeyUsage = critical, digitalSignature, keyCertSign" >> ca.cnf
Here is an example`ca.cnf`:
[ req ] distinguished_name = req_distinguished_name [ req_distinguished_name ] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) 0.organizationName = Organization Name (eg, company) organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg, fully qualified host name) emailAddress = Email Address [ v3_ca ] basicConstraints = critical, CA:TRUE keyUsage = critical, digitalSignature, keyCertSign
Create a private key for the CA (Certificate Authority).
openssl genrsa -out ca.key 2048
Generate a self-signed CA certificate.
The following command will prompt for the Distinguished Name (DN) parameters.
openssl req \ -new \ -x509 \ -sha256 \ -days 365 \ -key ca.key \ -out ca.crt \ -config ca.cnf \ -extensions v3_ca
Example prompt parameters:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) []:US State or Province Name (full name) []:CA Locality Name (eg, city) []:Sunnyvale Organization Name (eg, company) []:JFrog Ltd Organizational Unit Name (eg, section) []:JFrog Infra Common Name (eg, fully qualified host name) []:JFrog Root CA Email Address []:info@jfrog.com
Verify the generated CA certificate.
Example prompt parameters:
openssl x509 -in ca.crt -text -noout
Example result:
Certificate: Data: Version: 3 (0x2) Serial Number: 15701892499106404289 (0xd9e85409269b97c1) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=CA, L=Sunnyvale, O=JFrog Ltd, OU=JFrog Infra, CN=JFrog Root CA/emailAddress=info@jfrog.com Validity Not Before: Aug 28 15:57:05 2019 GMT Not After : Aug 27 15:57:05 2020 GMT Subject: C=US, ST=CA, L=Sunnyvale, O=JFrog Ltd, OU=JFrog Infra, CN=JFrog Root CA/emailAddress=info@jfrog.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a3:1e:36:48:ac:c1:e2:13:78:f6:24:46:a5:70: 6b:2a:a9:a0:33:dc:77:e9:b5:e8:52:bb:46:79:32: 7f:e6:64:d1:be:f4:ae:c0:95:ea:7b:cd:63:88:7f: 60:8f:2e:53:e6:7d:9c:cc:22:f6:41:91:04:4f:b1: f4:1c:dc:74:89:a2:81:46:9c:66:72:83:40:a7:26: 3b:4b:f1:0d:6d:bc:b9:bd:1a:ae:81:0a:ab:37:96: b0:f1:2b:9c:f4:18:a4:ae:45:d2:38:e6:9a:8f:7b: 2f:45:0b:70:ae:d9:25:d6:5c:b2:67:15:11:ab:7c: e2:02:4c:b7:0c:15:2d:32:22:b3:f9:be:99:4d:28: 93:6d:37:a8:2e:8d:57:54:63:ec:0d:c3:96:f1:2a: 9c:6f:e0:d4:3c:23:98:31:6a:a4:76:52:64:2c:9b: 23:5d:e1:56:f4:43:13:12:c0:27:73:78:99:68:c3: dc:b2:79:af:a3:98:09:d3:69:69:ca:64:18:8d:15: 8f:97:f8:27:14:e3:53:a7:af:ca:9b:2e:3d:6e:df: 3e:f6:d6:e3:ab:43:de:8c:25:32:61:e1:fe:6d:73: e5:52:12:35:af:8a:dc:b3:d8:e1:88:ec:56:c3:3c: a2:35:31:90:e4:6d:e2:9c:78:c6:6c:26:60:72:25: 08:9f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Digital Signature, Certificate Sign Signature Algorithm: sha256WithRSAEncryption 26:6a:e9:2e:d0:00:8a:d6:f2:94:e8:50:c6:e0:1c:fc:76:70: 0c:fe:1f:87:5a:01:d2:5c:77:29:fa:22:19:7f:8c:77:3b:c2: 2d:f1:58:22:0c:c5:db:41:d5:c9:71:1b:33:b3:8b:a9:a8:79: df:35:92:6c:e2:3c:38:0c:af:8f:78:82:63:94:64:36:cd:4f: 3a:8d:17:04:59:d1:c5:49:d0:3b:df:26:c4:b6:e0:7f:0a:ab: 7a:e1:a5:8a:6b:36:8b:2a:6b:57:ea:57:fe:91:33:36:89:13: a1:a6:55:d6:fe:93:ab:8f:5f:88:1b:be:98:86:4f:52:9f:1b: ee:23:51:61:ce:17:b4:ed:cb:2f:7c:38:6f:9f:ac:e9:a6:43: 74:1b:0c:94:e6:b3:3d:ee:d2:49:bb:84:19:e3:6b:d2:17:8c: 17:c0:bd:59:ad:03:df:05:49:9b:4d:ea:d5:8d:6a:c0:1c:81: f2:ae:fa:20:b3:0b:a1:6f:87:6d:c2:a7:47:37:4d:76:57:d0: 74:dc:8d:cb:57:f3:41:32:87:2e:52:3f:3d:e5:f3:66:83:f4: 71:82:8b:54:1e:00:8d:7c:54:43:7e:93:7b:55:3a:36:d4:5e: ec:4f:87:9c:54:45:19:d8:7a:cd:71:df:6c:a4:7e:71:ed:fb: 09:60:d0:eb