Ubuntu
openssl package

Comment 6 for bug 1828215

Revision history for this message

Tim Wegener (tim.embertec) wrote on 2019-05-08:

Here's a recipe for generating a CA directory for testing.
It assumes you have already generated a CA key and cert.

touch $CA_DIR/index.txt
echo '1000' > $CA_DIR/serial
echo '1000' > $CA_DIR/crlnumber
mkdir -m 700 $CA_DIR/newcerts
mkdir -m 700 $CA_DIR/private
mkdir $CA_DIR/certs

cp $CA_KEY $CA_DIR/private/ca_key.pem
chmod 600 $CA_DIR/private/ca_key.pem

cp $CA_CERT $CA_DIR/certs/ca_cert.pem

Those paths need to correspond to those set in the "[ CA_default ]" section of the openssl.cnf file.

E.g.

[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = somedir/ca_dir # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.

certificate = $dir/certs/ca_cert.pem
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca_key.pem
RANDFILE = $dir/.rand # private random number file

The initial crl file can be generated like so:

cat ca_key_passphrase_file.txt | openssl ca -gencrl -out $CA_DIR/crl.pem -config /path/to/test.openssl.cnf -passin stdin

Use 'openssl req' to generate the cert request private key.
Use 'openssl spkac' to generate the spkac cert request data.

Ubuntuopenssl package

Comment 6 for bug 1828215

Ubuntu
openssl package