Create a private-public key pair

JFrog Installation & Setup Documentation

Content Type
Installation & Setup
ft:sourceType
Paligo

The following is an example how to create a public-private key pair using OpenSSL.

The CA certificate must contain the extensions:CA:TRUEbasic constraints, digital signature and key certificate sign key usages.

  1. Create a configuration file with the required CA extensions. This can usually be derived from`/etc/ssl/openssl.cnf`.

    cp /etc/ssl/openssl.cnf ca.cnf
    
    echo "\n[ v3_ca ]\nbasicConstraints = critical, CA:TRUE\nkeyUsage  = critical, digitalSignature, keyCertSign" >> ca.cnf

    Here is an example`ca.cnf`:

    [ req ]
    distinguished_name  = req_distinguished_name
    
    [ req_distinguished_name ]
    countryName        = Country Name (2 letter code)
    stateOrProvinceName     = State or Province Name (full name)
    localityName            = Locality Name (eg, city)
    0.organizationName      = Organization Name (eg, company)
    organizationalUnitName  = Organizational Unit Name (eg, section)
    commonName         = Common Name (eg, fully qualified host name)
    emailAddress            = Email Address
    
    [ v3_ca ]
    basicConstraints = critical, CA:TRUE
    keyUsage         = critical, digitalSignature, keyCertSign
  2. Create a private key for the CA (Certificate Authority).

    openssl genrsa -out ca.key 2048
  3. Generate a self-signed CA certificate.

    The following command will prompt for the Distinguished Name (DN) parameters.

    openssl req \
      -new \
      -x509 \
      -sha256 \
      -days 365 \
      -key ca.key \
      -out ca.crt \
      -config ca.cnf \
      -extensions v3_ca

    Example prompt parameters:

    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) []:US
    State or Province Name (full name) []:CA
    Locality Name (eg, city) []:Sunnyvale
    Organization Name (eg, company) []:JFrog Ltd
    Organizational Unit Name (eg, section) []:JFrog Infra
    Common Name (eg, fully qualified host name) []:JFrog Root CA
    Email Address []:info@jfrog.com
  4. Verify the generated CA certificate.

    Example prompt parameters:

    openssl x509 -in ca.crt -text -noout

    Example result:

    Certificate:
              Data:
                  Version: 3 (0x2)
                  Serial Number: 15701892499106404289 (0xd9e85409269b97c1)
              Signature Algorithm: sha256WithRSAEncryption
                  Issuer: C=US, ST=CA, L=Sunnyvale, O=JFrog Ltd, OU=JFrog Infra, CN=JFrog Root CA/emailAddress=info@jfrog.com
                  Validity
                      Not Before: Aug 28 15:57:05 2019 GMT
                      Not After : Aug 27 15:57:05 2020 GMT
                  Subject: C=US, ST=CA, L=Sunnyvale, O=JFrog Ltd, OU=JFrog Infra, CN=JFrog Root CA/emailAddress=info@jfrog.com
                  Subject Public Key Info:
                      Public Key Algorithm: rsaEncryption
                          Public-Key: (2048 bit)
                          Modulus:
                              00:a3:1e:36:48:ac:c1:e2:13:78:f6:24:46:a5:70:
                              6b:2a:a9:a0:33:dc:77:e9:b5:e8:52:bb:46:79:32:
                              7f:e6:64:d1:be:f4:ae:c0:95:ea:7b:cd:63:88:7f:
                              60:8f:2e:53:e6:7d:9c:cc:22:f6:41:91:04:4f:b1:
                              f4:1c:dc:74:89:a2:81:46:9c:66:72:83:40:a7:26:
                              3b:4b:f1:0d:6d:bc:b9:bd:1a:ae:81:0a:ab:37:96:
                              b0:f1:2b:9c:f4:18:a4:ae:45:d2:38:e6:9a:8f:7b:
                              2f:45:0b:70:ae:d9:25:d6:5c:b2:67:15:11:ab:7c:
                              e2:02:4c:b7:0c:15:2d:32:22:b3:f9:be:99:4d:28:
                              93:6d:37:a8:2e:8d:57:54:63:ec:0d:c3:96:f1:2a:
                              9c:6f:e0:d4:3c:23:98:31:6a:a4:76:52:64:2c:9b:
                              23:5d:e1:56:f4:43:13:12:c0:27:73:78:99:68:c3:
                              dc:b2:79:af:a3:98:09:d3:69:69:ca:64:18:8d:15:
                              8f:97:f8:27:14:e3:53:a7:af:ca:9b:2e:3d:6e:df:
                              3e:f6:d6:e3:ab:43:de:8c:25:32:61:e1:fe:6d:73:
                              e5:52:12:35:af:8a:dc:b3:d8:e1:88:ec:56:c3:3c:
                              a2:35:31:90:e4:6d:e2:9c:78:c6:6c:26:60:72:25:
                              08:9f
                          Exponent: 65537 (0x10001)
                  X509v3 extensions:
                      X509v3 Basic Constraints: critical
                          CA:TRUE
                      X509v3 Key Usage: critical
                          Digital Signature, Certificate Sign
              Signature Algorithm: sha256WithRSAEncryption
                  26:6a:e9:2e:d0:00:8a:d6:f2:94:e8:50:c6:e0:1c:fc:76:70:
                  0c:fe:1f:87:5a:01:d2:5c:77:29:fa:22:19:7f:8c:77:3b:c2:
                  2d:f1:58:22:0c:c5:db:41:d5:c9:71:1b:33:b3:8b:a9:a8:79:
                  df:35:92:6c:e2:3c:38:0c:af:8f:78:82:63:94:64:36:cd:4f:
                  3a:8d:17:04:59:d1:c5:49:d0:3b:df:26:c4:b6:e0:7f:0a:ab:
                  7a:e1:a5:8a:6b:36:8b:2a:6b:57:ea:57:fe:91:33:36:89:13:
                  a1:a6:55:d6:fe:93:ab:8f:5f:88:1b:be:98:86:4f:52:9f:1b:
                  ee:23:51:61:ce:17:b4:ed:cb:2f:7c:38:6f:9f:ac:e9:a6:43:
                  74:1b:0c:94:e6:b3:3d:ee:d2:49:bb:84:19:e3:6b:d2:17:8c:
                  17:c0:bd:59:ad:03:df:05:49:9b:4d:ea:d5:8d:6a:c0:1c:81:
                  f2:ae:fa:20:b3:0b:a1:6f:87:6d:c2:a7:47:37:4d:76:57:d0:
                  74:dc:8d:cb:57:f3:41:32:87:2e:52:3f:3d:e5:f3:66:83:f4:
                  71:82:8b:54:1e:00:8d:7c:54:43:7e:93:7b:55:3a:36:d4:5e:
                  ec:4f:87:9c:54:45:19:d8:7a:cd:71:df:6c:a4:7e:71:ed:fb:
                  09:60:d0:eb