Setting up the OpenSSL certification authority |
In our example, the certificates for VPN IPSec authentication are generated using the DemoCA included
with OpenSSL. Here, OpenSSL version 0.9.8g is used. To set up the certification authority and generate the
certificates, the
CA.sh
script included with OpenSSL is used (found at Debian under
/usr/lib/ssl/misc/CA.sh
). The command for setup of a new certification authority
CA.sh -newca
need only be executed once. On the basis of this certification authority, the
user certificates are generated and exported in PKCS#12 format.
If OpenSSL standard settings (openssl.cnf
) are used, a
demoCA
directory is created when setting up a new certification authority; the former
contains the following information:
private/cakey.pem
|
private key of certification authority (CA) |
cacert.pem
|
self-certified certificate of the certification authority (CA |
index.txt
|
List of previously-issued certificates |
|
Serial number for the following certificate |
newcerts
|
Directory for issued certificates |
The following provides an example for setup of new certification authority using OpenSSL, or the script
CA.sh -newca
:
Copyright© Version 01/2020 bintec elmeg GmbH |