Help on creating root certificate. - Openssl

This is a discussion on Help on creating root certificate. - Openssl ; Hi, I am new to Open SSL. I need to configure my application server with client authentication(user based certificate authentication). To achieve this, I have configured my tomcat server.xml with clientAuth="true". Currently I have created a client certificate and added ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Help on creating root certificate.

  1. Help on creating root certificate.


    Hi,

    I am new to Open SSL. I need to configure my application server with client
    authentication(user based certificate authentication). To achieve this, I
    have configured my tomcat server.xml with clientAuth="true". Currently I
    have created a client certificate and added it into both in my application
    as well as browser.
    I have used the following commands to create certificates,

    *openssl genrsa -rand world.png -out ./output/ClientKey.key 1024
    * openssl req -new -key ./output/ClientKey.key -out
    ../output/ClientCsr.csr -config openssl.cnf
    * openssl x509 -req -days 999999 -in ./output/ClientCsr.csr -signkey
    ../output/ClientKey.key -out ./output/ClientCer.cer [ I have imported the
    generated ClientCer.cer into my application server trustore ].
    * openssl pkcs12 -export -clcerts -in ./output/ClientCer.cer -inkey
    ../output/ClientKey.key -out ./output/rameshj.p12 -name "rameshj" [ I have
    imported the generated rameshj.p12 into my browser ].


    It is working perfectly. But here I require to import all the user specific
    (common name) in the server as well as browsers. In other words, if my
    application supports 1000 users, then I need to import all the 1000
    certificates to my server application trustore file. Due to scalability
    point of view, here I am planning to import just only one root certificate
    into my server application and 1000 users certificates will be imported into
    1000 different user m/c browsers. But I don't know how to generate root
    certificate and other 1000 user certificates using openssl command. Can you
    please help me to generate root certificate as well as user certificate ?
    Thanks in advance for your help.

    Regards,
    Ramesh
    --
    View this message in context: http://www.nabble.com/Help-on-creati...p18458611.html
    Sent from the OpenSSL - User mailing list archive at Nabble.com.
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  2. Re: Help on creating root certificate.

    In your OpenSSL distribution, you should have gotten a script called
    either CA.pl or CA.sh. They automate the steps necessary to create a
    CA and to sign certificates with that CA. (It should be noted that it
    is NOT intended to do everything an actual CA needs to do, it is quite
    possibly the most minimal CA software in existence.)

    I should point out that you really do not want to use the same
    'world.png' file to seed the random number generator. If security is
    a financial concern, you should have your clients themselves generate
    the keys, and submit the CSRs. The way to do this depends on the
    browser, unfortunately, and it might be that it's not something that
    you can support. Alternatively, you can try using /dev/random or
    /dev/urandom (semantics being that one blocks when the estimated
    amount of entropy is low, the other continues generating low-entropy
    pseudorandom numbers even in that case and never blocks) if your
    platform supports them.

    -Kyle H

    On Mon, Jul 14, 2008 at 11:45 PM, rameshj wrote:
    >
    > Hi,
    >
    > I am new to Open SSL. I need to configure my application server with client
    > authentication(user based certificate authentication). To achieve this, I
    > have configured my tomcat server.xml with clientAuth="true". Currently I
    > have created a client certificate and added it into both in my application
    > as well as browser.
    > I have used the following commands to create certificates,
    >
    > *openssl genrsa -rand world.png -out ./output/ClientKey.key 1024
    > * openssl req -new -key ./output/ClientKey.key -out
    > ./output/ClientCsr.csr -config openssl.cnf
    > * openssl x509 -req -days 999999 -in ./output/ClientCsr.csr -signkey
    > ./output/ClientKey.key -out ./output/ClientCer.cer [ I have imported the
    > generated ClientCer.cer into my application server trustore ].
    > * openssl pkcs12 -export -clcerts -in ./output/ClientCer.cer -inkey
    > ./output/ClientKey.key -out ./output/rameshj.p12 -name "rameshj" [ I have
    > imported the generated rameshj.p12 into my browser ].
    >
    >
    > It is working perfectly. But here I require to import all the user specific
    > (common name) in the server as well as browsers. In other words, if my
    > application supports 1000 users, then I need to import all the 1000
    > certificates to my server application trustore file. Due to scalability
    > point of view, here I am planning to import just only one root certificate
    > into my server application and 1000 users certificates will be imported into
    > 1000 different user m/c browsers. But I don't know how to generate root
    > certificate and other 1000 user certificates using openssl command. Can you
    > please help me to generate root certificate as well as user certificate ?
    > Thanks in advance for your help.
    >
    > Regards,
    > Ramesh
    > --
    > View this message in context: http://www.nabble.com/Help-on-creati...p18458611.html
    > Sent from the OpenSSL - User mailing list archive at Nabble.com.
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org
    >

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  3. Re: [Possible SPAM] Re: Help on creating root certificate.

    Hi Kyle,

    Thanks for your help. Yes, I found the CA.pl in my open ssl
    distribution. Also I found some useful information in the following URL.
    *
    http://security.leisink.org/openssl*

    Thanks for your security concern about world.png. I understand, I'll use
    the /dev/random instead of using world.png. We are planning to leave
    creation of CA root certificate & user certificate to our customers. So,
    they can create it with their security levels. I am going to use this
    certificates for testing purpose. It'll not be part in the production.

    Thanks,
    Ramesh


    Kyle Hamilton wrote:
    > In your OpenSSL distribution, you should have gotten a script called
    > either CA.pl or CA.sh. They automate the steps necessary to create a
    > CA and to sign certificates with that CA. (It should be noted that it
    > is NOT intended to do everything an actual CA needs to do, it is quite
    > possibly the most minimal CA software in existence.)
    >
    > I should point out that you really do not want to use the same
    > 'world.png' file to seed the random number generator. If security is
    > a financial concern, you should have your clients themselves generate
    > the keys, and submit the CSRs. The way to do this depends on the
    > browser, unfortunately, and it might be that it's not something that
    > you can support. Alternatively, you can try using /dev/random or
    > /dev/urandom (semantics being that one blocks when the estimated
    > amount of entropy is low, the other continues generating low-entropy
    > pseudorandom numbers even in that case and never blocks) if your
    > platform supports them.
    >
    > -Kyle H
    >
    > On Mon, Jul 14, 2008 at 11:45 PM, rameshj wrote:
    >
    >> Hi,
    >>
    >> I am new to Open SSL. I need to configure my application server with client
    >> authentication(user based certificate authentication). To achieve this, I
    >> have configured my tomcat server.xml with clientAuth="true". Currently I
    >> have created a client certificate and added it into both in my application
    >> as well as browser.
    >> I have used the following commands to create certificates,
    >>
    >> *openssl genrsa -rand world.png -out ./output/ClientKey.key 1024
    >> * openssl req -new -key ./output/ClientKey.key -out
    >> ./output/ClientCsr.csr -config openssl.cnf
    >> * openssl x509 -req -days 999999 -in ./output/ClientCsr.csr -signkey
    >> ./output/ClientKey.key -out ./output/ClientCer.cer [ I have imported the
    >> generated ClientCer.cer into my application server trustore ].
    >> * openssl pkcs12 -export -clcerts -in ./output/ClientCer.cer -inkey
    >> ./output/ClientKey.key -out ./output/rameshj.p12 -name "rameshj" [ I have
    >> imported the generated rameshj.p12 into my browser ].
    >>
    >>
    >> It is working perfectly. But here I require to import all the user specific
    >> (common name) in the server as well as browsers. In other words, if my
    >> application supports 1000 users, then I need to import all the 1000
    >> certificates to my server application trustore file. Due to scalability
    >> point of view, here I am planning to import just only one root certificate
    >> into my server application and 1000 users certificates will be imported into
    >> 1000 different user m/c browsers. But I don't know how to generate root
    >> certificate and other 1000 user certificates using openssl command. Can you
    >> please help me to generate root certificate as well as user certificate ?
    >> Thanks in advance for your help.
    >>
    >> Regards,
    >> Ramesh
    >> --
    >> View this message in context: http://www.nabble.com/Help-on-creati...p18458611.html
    >> Sent from the OpenSSL - User mailing list archive at Nabble.com.
    >> __________________________________________________ ____________________
    >> OpenSSL Project http://www.openssl.org
    >> User Support Mailing List openssl-users@openssl.org
    >> Automated List Manager majordomo@openssl.org
    >>
    >>

    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org
    >
    >




+ Reply to Thread