Home‎ > ‎CIS 75‎ > ‎

Lab 8: Generating Certificates

For this lab you will generate two certificates. The first is a self-signed certificate. The second will be signed by the first. The process may be a bit more complex than you suspect. The process is complicated because the steps enforce the certificate system's rules.

Part 1: Create Your Own Certificate Authority
In order to sign certificates you must have a Certificate Authority. That's just a self signed certificate that is used to sign other certificates. The following UNIX commands will generate a CA:

# This command generates a public and private key. The key is stored in authority.key
# Note: Give your CA a name and address!
openssl genrsa -des3 -out authority.key 2048

# This command generates a certificate request. The certificate request is stored in authority.csr
openssl req -new -key authority.key -out authority.csr

# This command self-signs your certificate request with the authority key and issues a self-signed
# certificate called authority.crt
openssl x509 -req -days 365 -in authority.csr -signkey authority.key -out authority.crt

Now you have two important files.
  1. authority.key - This file contains your PRIVATE key and must stay a secret. The private key is what signs certificates.
  2. authority.crt - This is the certificate of the signing authority. 
Part 2:
Now you are playing the role of an organization that wants to have a certificate issued. Your organization generates a key and certificate request and sends the request to a CA for a signature. The fist step is to generate a key pair: 

# Note: Give your company a name and address!
openssl genrsa -des3 -out company.key 2048 

openssl req -new -key company.key -out company.csr

Now that you have your certificate request you can sign it with your CA key. 

openssl x509 -req -days 360 -in company.csr -CA authority.crt -CAkey authority.key -CAcreateserial -out company.crt

You should now have a certificate called company.crt. 

On Blackboard submit the following files:
  • authority.crt 
  • company.crt
  • 10 points for a self-signed authority.crt
  • 10 points for a company.crt that's signed by authority.crt