Enter a display name in the Certificate Name field, and select the PEM certificate file you created previously. You can simply change the extension when uploading a certificate to prove possession, or you can use the following OpenSSL command:.
Select Save. Your certificate is shown in the certificate list with a status of Unverified. The verification process will prove that you own the certificate.
Select Generate Verification Code. For more information, see Prove Possession of a CA certificate. Copy the verification code to the clipboard. You must set the verification code as the certificate subject. Select the new certificate in the Certificate Details view. To find the PEM file, navigate to the certs folder. After the certificate uploads, select Verify. The CA certificate status should change to Verified.
Provide the Device ID that matches the subject name of your device certificates. To generate a client certificate, you must first generate a private key. The following command shows how to use OpenSSL to create a private key.
Create the key in the subca directory. Create a certificate signing request CSR for the key. You do not need to enter a challenge password or an optional company name. However, if you have a specific need to use another algorithm such as ECDSA , you can use that too, but be aware of the compatibility issues you might run into.
Note: In older versions of OpenSSL, if no key size is specified, the default key size of is used. Any key size lower than is considered unsecure and should never be used. For the passphrase, you need to decide whether you want to use one. If used, the private key will be encrypted using the specified encryption method, and it will be impossible to use without the passphrase. Because there are pros and cons with both options, it's important you understand the implications of using or not using a passphrase.
In this guide, we will not be using a passphrase in our examples. After deciding on a key algorithm, key size, and whether to use a passphrase, you are ready to generate your private key. This command generates a private key in your current directory named yourdomain. Even though the contents of the file might look like a random chunk of text, it actually contains important information about the key. The -noout switch omits the output of the encoded version of the private key.
The private key file contains both the private key and the public key. You can extract your public key from your private key file if needed. After generating your private key, you are ready to create your CSR. The CSR is created using the PEM format and contains the public key portion of the private key as well as information about you or your company. After entering the command, you will be asked series of questions.
Your answers to these questions will be embedded in the CSR. Answer the questions as described below:. Some of the above CSR questions have default values that will be used if you leave the answer blank and press Enter. If you want to leave a question blank without using the default value, type a ". Another option when creating a CSR is to provide all the necessary information within the command itself by using the -subj switch.
This command uses your private key file -key yourdomain. Instead of generating a private key and then creating a CSR in two separate steps, you can actually perform both tasks at once. This command generates a new private key -newkey using the RSA algorithm with a bit key length rsa without using a passphrase -nodes and then creates the key file with a name of yourdomain.
Let's start with how the file is structured. There is one additional caveat. Sometimes a key's value is expected to be a section name.
This means there is no finite list of possible sections that the parser understands. The "ca" section defines the way the CA acts when using the ca command to sign certificates. However, the only thing that should be in the CA section is the name of the default CA's section.
This "default" section to use can be overridden by passing -name to ca. This defines the section in the file to find the xv3 extensions to be added to signed certificates. When acting as a CA, we want to honor the extensions that are requested.
Note that you do not want copyall here as it's a security risk and should only be used if you really know what you're doing. These simply define the way that the name and certificate information are displayed to you for "confirmation" before signing a certificate and should be left as-is. The default digest algorithm - this can be left alone unless you know what you're doing - and whether or not to preserve the DN.
Preserving the DN is a site-specific thing: if you want all your certs to have the same DN order, than so "no" here and openssl will re-order the attributes in the DNs of CSRs to make them consistent. However, if you want to let people determind the order of their DN, set this to "yes. All fields listed as "supplied" must be present.
All fields listed as "optional" are allowed, but not required to be there.
0コメント