Creating the CA root key and self-signed certificate

Last Updated : Mar 21, 2022 |

Follow this procedure for non-AES server Linux boxes and generate the certificates. Import the generated certificates into AES from AE Services Management console or command line interface (CLI).

Procedure

  1. Change directories to the certificates home directory, for example: cd /certificates
  2. Create the CA key by operating the following command:

    openssl genrsa -des3 -out cakey.pem 2048

    You will be asked for a password to encrypt the CA root key, and then you will be asked to provide that password again as verification. The key will be encrypted using triple des, for example: des3. You will be asked for this password when signing the CSR. The size of the key will be 2048 bits. The key will be saved to the file cakey.pem.

  3. Run the following command to create the CA public certificate signed by the CA key:

    openssl req -new -x509 -days 3650 -key cakey.pem -out cacert.pem -config openssl.cnf

    You will be asked for the CA root key password. The public CA certificate will expire in 10 years. In order to change the expiration, modify the –days option. The certificate will be saved in the file cacert.pem. The openssl.cnf will be used to apply some configuration values. You will be asked to enter information that will be incorporated into your certificate request. Leave the Email Address field blank.

    An example:

    • Country Name (2 letter code) [GB]:US

    • State or Province Name (full name) [Berkshire]:CO

    • Locality Name (eg, city)[Newbury]:Denver

    • Organization Name (eg, company) [My Company Ltd]:Your Company Name

    • Organizational Unit Name (eg, section) []:IT

    • Common Name for example your name or your server's hostname) []:YourCompanyName Root CA

    • Email Address []:

  4. Move the generated CA root key to the CA/private directory, that is mv cakey.pem ./CA/private/
  5. Move the generated CA public certificate to the CA directory, that is mv cacert.pem ./CA/
  6. You can view the contents of the CA public certificate with the following command:

    openssl x509 -in ./CA/cacert.pem -text -noout

    Note:

    Your CA is now configured and ready to issue certificates. This CA can be used to create all your AE Services server certificates. Only the CA certificate will need to be imported into your clients trust certificate store.