Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

How do I set up my own certificate authority

843811Dec 19 2005 — edited Feb 19 2008
I tried google on the above question, and the most recent thing I found was 7 years old. replacing the phrase used generates a lot of hits with a very poor signal to noise ratio.

I have OpenSSL (in the cygwin distribution), which is quite recent, but frankly its documentation leaves just about everything to be desired. I found pyca, but it has no documentation at all (and it is a couple years old).

I tried the steps appended below, but invariably the attempt to sign the certificates fails with an obscure error message about OpenSSL not finding one thing or another.

At this stage, I just don't care whether I do this using something in the J2SDK such as keytool or OpenSSL, as long as I can get it done. Or if there is some other opensource software tool I can use, terrific. This is primarily for the purpose of securing communications within an Intranet, and secondarily for signing applets and applications distributed through WebStart. If I am not mistaken, I'll need a certificate for each of my servers. Right?

If you know of an URL where this is well explained and illustrated, great. Give that to me.

Otherwise, a simple illustration (or a correction of what I've appended below) would be appreciated. I believe I understand what ought to be happening. It ought to be rather simple to do, but there are these irritating and frustrating minor details getting in the way. For example, the steps I show below seem simple, but everything appears to get messed up by some of the contents of openssl.cnf in 'usr/ssl', in the cygwin directory, and there is no explanation of how to set things up for the first time you use OpenSSL within Cygwin (or on unix for that matter).

Any assistance would be appreciated.

Thanks,

Ted

========failed attempt=====================

# Generation of Certificate Authority(CA)

openssl req -new -x509 -keyout cakey.pem -out cacert.pem -config /usr/ssl/openssl.cnf



# Create server request and key

openssl req -new -keyout server-key.pem -out server-req.pem -days 36502 -config /usr/ssl/openssl.cnf

# Remove the passphrase from the key

openssl rsa -in server-key.pem -out server-key.pem

# Sign server cert

openssl ca -policy policy_anything -out server-cert.pem -infiles server-req.pem -config /usr/ssl/openssl.cnf

# Create client request and key

openssl req -new -keyout client-key.pem -out client-req.pem -days 36502 -config /usr/ssl/openssl.cnf

# Remove a passphrase from the key

openssl rsa -in client-key.pem -out client-key.pem

# Sign client cert

openssl ca -policy policy_anything -out client-cert.pem -infiles client-req.pem -config /usr/ssl/openssl.cnf
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Mar 18 2008
Added on Dec 19 2005
#other-security-apis-tools-and-issues
8 comments
778 views