Manualshelf

Installation guide

ManualsBrandsAcano ManualsComputer equipmentSolution
61626364656667686970
OpenSSL Commands for Generating Certificates
Acano solution: Deployment Guide R1.2 76-1006-06-K
Page 65
Appendix C OpenSSL Commands for
Generating Certificates
OpenSSL can be used instead of the MMP pki commands in section 3 to generate private keys,
certificate signing requests and certificates.
1. Start by using the OpenSSL toolkit on your Windows PC or Linux machine to generate
an RSA private key and CSR (Certificate Signing Request).
This example creates a 2048 bit key.
openssl.exe genrsa -out <keyname>.key 2048
2. After the private key is generated, do one of the following
a. Create a self-signed certificate straight from the private key and go on to step 4:
openssl.exe req -config openssl.cfg -new -x509 -key webserver.key
-out webserver.crt -days 365
Note: Your installation may use openssl.cnf instead of openssl.cfg; if so substitute
openssl.cnf in the command above and in appropriate commands in this appendix.
b. Generate a Certificate Signing Request (and then go on to step 3), for example:
openssl.exe req -config openssl.cfg -new -key <name>.key -out
<CSRname>.csr
During the generation of the CSR, you are prompted for several pieces of information.
Most importantly you will be asked for the Common Name: it is essential that this field
be filled in with the fully qualified domain name of the server to be protected by SSL. For
example, if the website to be protected will be https://server.example.com, then enter
server.example.com at this prompt. Failure to do this will result in browser certificate
errors.
3. Do one of the following.
self-sign the CSR. The following is an example of self-signing your certificate from the
CSR which is valid for 100 days
openssl.exe x509 -req -days 100 -in webserver.csr signkey
webserver.key -out webserver.crt
Send the CSR to a Certificate Authority (CA), such as Verisign who will verify the identity
of the requestor and issue a signed certificate. Follow the steps i onwards to do this
Send the CSR to a local or organizational Certificate Authority, such as an Active
Directory server with the Active Directory Certificate Services Role installed. Follow the
steps i onwards to do this
i. Transfer the certificate signing request to the CA server for signing
ii. Issue the following command in the command line management shell on the CA
server replacing the path and CSR name with your information:
certreq -submit -attrib "CertificateTemplate:WebServer"
C:\Users\Administrator\Desktop\certcsr.pem