author | Pat Downey <patd@symbian.org> |
Wed, 01 Sep 2010 12:22:02 +0100 | |
branch | RCL_3 |
changeset 66 | 8b7f4e561641 |
parent 0 | ba25891c3a9e |
permissions | -rw-r--r-- |
0
ba25891c3a9e
Revision: 200949
Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com>
parents:
diff
changeset
|
1 |
This file replaces the old generate_certs.bat, which provided incorrect information. |
ba25891c3a9e
Revision: 200949
Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com>
parents:
diff
changeset
|
2 |
|
ba25891c3a9e
Revision: 200949
Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com>
parents:
diff
changeset
|
3 |
To generate certificate chains using the existing roots, you must issue some subset of the following commands: |
ba25891c3a9e
Revision: 200949
Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com>
parents:
diff
changeset
|
4 |
|
ba25891c3a9e
Revision: 200949
Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com>
parents:
diff
changeset
|
5 |
For DSA Key pairs, first generate a set of DSA key parameters: |
ba25891c3a9e
Revision: 200949
Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com>
parents:
diff
changeset
|
6 |
# openssl dsaparam -out dsaparam.pem 512 |
ba25891c3a9e
Revision: 200949
Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com>
parents:
diff
changeset
|
7 |
|
ba25891c3a9e
Revision: 200949
Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com>
parents:
diff
changeset
|
8 |
Next, generate a certificate request: (this assumes you are using one of the existing config files) |
ba25891c3a9e
Revision: 200949
Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com>
parents:
diff
changeset
|
9 |
|
ba25891c3a9e
Revision: 200949
Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com>
parents:
diff
changeset
|
10 |
For DSA Certificates: |
ba25891c3a9e
Revision: 200949
Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com>
parents:
diff
changeset
|
11 |
# openssl req -newkey dsa:dsaparams.pem -nodes -out dsa.req -keyout dsa.key -config dsa.config -days 3650 |
ba25891c3a9e
Revision: 200949
Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com>
parents:
diff
changeset
|
12 |
|
ba25891c3a9e
Revision: 200949
Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com>
parents:
diff
changeset
|
13 |
For RSA Certificates: |
ba25891c3a9e
Revision: 200949
Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com>
parents:
diff
changeset
|
14 |
# openssl req -newkey rsa:512 -nodes -out rsa.req -keyout rsa.key -config rsa.config -days 3650 |
ba25891c3a9e
Revision: 200949
Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com>
parents:
diff
changeset
|
15 |
|
ba25891c3a9e
Revision: 200949
Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com>
parents:
diff
changeset
|
16 |
Finally, generate a signed certificate from the request: |
ba25891c3a9e
Revision: 200949
Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com>
parents:
diff
changeset
|
17 |
|
ba25891c3a9e
Revision: 200949
Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com>
parents:
diff
changeset
|
18 |
# openssl x509 -req -in <request file> -out cert.cer -CA <signing certificate> -CAKey <signing key> -CASerial cert.srl -CAcreateserial -days 3650 -extfile <config file> -extensions v3_ca |
ba25891c3a9e
Revision: 200949
Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com>
parents:
diff
changeset
|
19 |
|
ba25891c3a9e
Revision: 200949
Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com>
parents:
diff
changeset
|
20 |
For intermediate certificates for use in SWIS, the extensions must be present as defined in this config section: |
ba25891c3a9e
Revision: 200949
Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com>
parents:
diff
changeset
|
21 |
|
ba25891c3a9e
Revision: 200949
Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com>
parents:
diff
changeset
|
22 |
[v3_ca] |
ba25891c3a9e
Revision: 200949
Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com>
parents:
diff
changeset
|
23 |
subjectKeyIdentifier=hash |
ba25891c3a9e
Revision: 200949
Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com>
parents:
diff
changeset
|
24 |
authorityKeyIdentifier=keyid:always,issuer:always |
ba25891c3a9e
Revision: 200949
Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com>
parents:
diff
changeset
|
25 |
basicConstraints=critical,CA:TRUE, pathlen:5 |
ba25891c3a9e
Revision: 200949
Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com>
parents:
diff
changeset
|
26 |
keyUsage=critical,keyCertSign |
ba25891c3a9e
Revision: 200949
Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com>
parents:
diff
changeset
|
27 |
|
ba25891c3a9e
Revision: 200949
Dremov Kirill (Nokia-D-MSW/Tampere) <kirill.dremov@nokia.com>
parents:
diff
changeset
|
28 |
If these extensions are not present, and installation signed with the resulting certificate as anything other than the end entity will fail. |