Loading ...
Loading ...
Loading ...
33
3. System Configuration
Prepare a USB Drive and Create the X.509 Certificate and Private Key
• Generate the CA certificate so the client and server Certificate Signing Requests (CSRs) can be signed.
# cp /etc/ssl/openssl.cnf .
# mkdir -p exampleCA/newcerts
# echo 00 > exampleCA/serial
# echo 00 > exampleCA/crlnumber
# touch exampleCA/index.txt
# openssl genrsa -out ca.key 8192
# openssl req -new -x509 -days 3650 -key ca.key -out demoCA/cacert.pem \
-subj /CN=ExampleCA
# cp demoCA/cacert.pem ca-bundle.crt
Note: This procedure generates a certificate called ExampleCA, but any allowed certificate name can be used. Also, this procedure uses
openssl ca. If your organization has an enterprise-wide, secure CA generation process, that should be used instead.
• Generate the server certificate.
# openssl genrsa -out server.key 4096
# openssl req -new -key server.key -out server.csr -subj /CN=demo.example.com
# openssl ca -days 365 -in server.csr -out server.crt \
-keyfile ca.key -policy policy_anything -batch -notext
Note: The hostname or IP address must be the same string as will be used in the serving URL. In the example above, the hostname is
demo.example.com.
• Generate the client certificate.
# openssl genrsa -out client.key 4096
# openssl req -new -key client.key -out client.csr -subj /CN=ExampleClient
# openssl ca -days 365 -in client.csr -out client.crt \
-keyfile ca.key -policy policy_anything -batch -notext
# cat client.key client.crt > client.pem
• Format a USB flash drive as a single FAT32 volume.
• Move the client.pem and ca-bundle.crt files onto the flash drive’s root directory.
Loading ...
Loading ...
Loading ...