User's Manual

ManualsBrandsCisco Systems ManualsOtherUCSCPCIEBTG

161

162

163

164

165

166

167

168

169

170

Procedure

PurposeCommand or Action

This command generates an RSA private key that will

be used by the CA.

To allow the CA to access the key without user

input, do not use the -des3 option for this

command.

Note

openssl genrsa -out CA_keyfilename

keysize

Example:

# openssl genrsa -out ca.key 1024

Step 1

The specified file name contains an RSA key of the

specified key size.

This command generates a new self-signed certificate

for the CA using the specified key. The certificate is

openssl req -new -x509 -days numdays

-key CA_keyfilename -out CA_certfilename

Step 2

valid for the specified period. The command prompts

the user for additional certificate information.

Example:

# openssl req -new -x509 -days 365

-key ca.key -out ca.crt

The certificate server is an active CA.

This command adds a line to the OpenSSL configuration

file to designate the certificate as a server-only

echo "nsCertType = server" >

openssl.conf

Step 3

certificate. This designation is a defense against a

Example:

# echo "nsCertType = server" >

openssl.conf

man-in-the-middle attack, in which an authorized client

attempts to impersonate the server.

The OpenSSL configuration file openssl.conf contains

the statement "nsCertType = server".

This command directs the CA to use your CSR file to

generate a server certificate.

openssl x509 -req -days numdays -in

CSR_filename -CA CA_certfilename

Step 4

-set_serial 04 -CAkey CA_keyfilename -out

server_certfilename -extfile openssl.conf

Your server certificate is contained in the output file.

Example:

# openssl x509 -req -days 365 -in

csr.txt -CA ca.crt -set_serial 04

-CAkey ca.key -out myserver05.crt

-extfile openssl.conf

This example shows how to create a CA and to generate a server certificate signed by the new CA. These

commands are entered on a Linux server running OpenSSL.

# /usr/bin/openssl genrsa -out ca.key 1024

Generating RSA private key, 1024 bit long modulus

.............++++++

.....++++++

e is 65537 (0x10001)

# /usr/bin/openssl req -new -x509 -days 365 -key ca.key -out ca.crt

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a

DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

Cisco UCS C-Series Servers Integrated Management Controller CLI Configuration Guide, Release 1.5

146 OL-28893-01

Managing Certificates

Creating a Self-Signed Certificate