installationservices/swi/test/tsisfile/data/signedsis/Howto generate certificate chains.txt
equal
deleted
inserted
replaced
|
1 This file replaces the old generate_certs.bat, which provided incorrect information. |
|
2 |
|
3 To generate certificate chains using the existing roots, you must issue some subset of the following commands: |
|
4 |
|
5 For DSA Key pairs, first generate a set of DSA key parameters: |
|
6 # openssl dsaparam -out dsaparam.pem 512 |
|
7 |
|
8 Next, generate a certificate request: (this assumes you are using one of the existing config files) |
|
9 |
|
10 For DSA Certificates: |
|
11 # openssl req -newkey dsa:dsaparams.pem -nodes -out dsa.req -keyout dsa.key -config dsa.config -days 3650 |
|
12 |
|
13 For RSA Certificates: |
|
14 # openssl req -newkey rsa:512 -nodes -out rsa.req -keyout rsa.key -config rsa.config -days 3650 |
|
15 |
|
16 Finally, generate a signed certificate from the request: |
|
17 |
|
18 # openssl x509 -req -in <request file> -out cert.cer -CA <signing certificate> -CAKey <signing key> -CASerial cert.srl -CAcreateserial -days 3650 -extfile <config file> -extensions v3_ca |
|
19 |
|
20 For intermediate certificates for use in SWIS, the extensions must be present as defined in this config section: |
|
21 |
|
22 [v3_ca] |
|
23 subjectKeyIdentifier=hash |
|
24 authorityKeyIdentifier=keyid:always,issuer:always |
|
25 basicConstraints=critical,CA:TRUE, pathlen:5 |
|
26 keyUsage=critical,keyCertSign |
|
27 |
|
28 If these extensions are not present, and installation signed with the resulting certificate as anything other than the end entity will fail. |