Generating Certificates Using OpenSSL

The following steps should be followed on a Linux server with OpenSSL installed to the generate the X509v3 certificates.

$ mkdir certs crl newcerts serial private
$ touch index.txt
$ echo "01" > serial



$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -subj "/C=US/ST=NC/L=Raleigh/O=Extr/OU=Exos/CN=CA-EXOS/emailAddress=ca-exos@extremenetworks.com" -keyout exosCAkey.pem -out exosCAcert.crt
Generating a 2048 bit RSA private key
.+++
.................................................+++
writing new private key to 'exosCAkey.pem'
-----

$ openssl x509 -in exosCAcert.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 17387834014905383023 (0xf14dfee96fe3b86f)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=NC, L=Raleigh, O=Extr, OU=Exos, CN=CA-EXOS/emailAddress=ca-exos@extremenetworks.com
        Validity
            Not Before: Oct 20 07:12:47 2016 GMT
            Not After : Oct 20 07:12:47 2017 GMT
        Subject: C=US, ST=NC, L=Raleigh, O=Extr, OU=Exos, CN=CA-EXOS/emailAddress=ca-exos@extremenetworks.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c3:6a:11:b0:13:ad:a0:a4:fe:e7:5a:60:26:e4:
                    47:7c:4e:1b:66:5f:ae:19:60:58:38:e9:31:09:07:
                    4b:5d:a0:80:a6:fb:ff:21:1e:bc:cd:f9:f0:0a:1f:
                    e4:ec:06:ab:1f:37:2d:64:d6:13:77:47:6b:e8:81:
                    d5:da:0a:e0:96:09:b4:9c:bd:5f:6a:dc:5e:04:5f:
                    5f:8e:79:a8:1c:6e:ba:29:63:8c:d1:f8:c6:53:40:
                    66:dc:21:0c:f4:38:c4:81:57:e7:8e:b1:d9:c6:e2:
                    cb:c6:b2:80:f4:fb:da:2f:e0:45:3f:15:5c:b4:92:
                    90:0b:6c:18:88:c4:45:67:a0:93:d1:88:9d:bb:51:
                    d3:d5:1e:55:4a:31:5d:a6:d3:3f:53:81:82:e2:9d:
                    27:b1:34:4e:06:2e:20:52:fd:3d:3a:5d:c3:9d:b1:
                    63:02:95:37:67:3f:f8:e4:8b:31:c7:c2:fe:08:36:
                    aa:95:92:78:2f:88:09:83:8b:94:87:23:f6:7d:ed:
                    20:75:87:79:14:b7:0e:1d:81:c8:93:e0:11:6c:e4:
                    97:3b:a9:f6:1f:34:c3:6f:94:a8:ec:9e:4f:6d:02:
                    37:2e:34:c1:01:24:6e:10:ca:7d:c9:c9:f2:12:5c:
                    ef:e1:b2:d1:67:bb:f2:15:94:e9:4b:70:11:a7:35:
                    fd:69
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                FB:04:BC:52:1B:92:1C:80:8D:81:E0:D7:3E:16:91:59:D0:90:19:D8
            X509v3 Authority Key Identifier:
                keyid:FB:04:BC:52:1B:92:1C:80:8D:81:E0:D7:3E:16:91:59:D0:90:19:D8

            X509v3 Basic Constraints:
                CA:TRUE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment, Certificate Sign
    Signature Algorithm: sha256WithRSAEncryption
         36:85:1a:96:49:8f:9b:51:7d:9e:c2:cd:31:72:0a:58:08:b4:
         58:6b:8b:22:37:71:ed:b6:ec:96:98:3c:8f:6b:03:2b:f9:4d:
         c7:81:40:97:10:df:d3:24:79:71:86:2f:f4:21:48:64:a6:8e:
         50:09:40:84:de:3b:55:cf:f5:bc:a3:21:00:92:19:08:d1:cf:
         7f:df:e9:01:07:f0:2e:0e:b5:3d:71:fd:75:bf:4c:ae:bc:01:
         65:78:31:48:21:af:b6:fd:56:bf:a0:f7:33:62:e2:1f:64:79:
         01:b0:70:bf:9b:57:e6:75:ec:81:4f:92:3c:70:27:b7:17:3d:
         59:b4:f4:c5:09:55:a2:6e:77:75:26:e4:6f:63:9b:60:3f:0f:
         a0:b0:01:cf:de:5d:83:b7:dd:75:68:55:c0:69:b1:49:17:1f:
         23:16:8a:02:ae:ad:3f:5c:ef:98:a9:f7:58:0b:73:58:51:fe:
         0f:20:24:e3:29:c7:ea:36:66:b1:f1:d6:bb:79:ce:87:e4:22:
         83:9e:63:cc:2a:2f:69:45:01:04:ff:d0:a3:7f:46:ef:ab:da:
         ca:06:ad:ee:40:1b:15:39:f8:db:b6:47:45:11:83:8c:e4:54:
         59:75:7e:41:ce:54:fe:04:83:4e:30:db:6a:d6:23:4d:66:17:
         44:dd:7f:49
-----BEGIN CERTIFICATE-----
MIID8jCCAtqgAwIBAgIJAPFN/ulv47hvMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYD
VQQGEwJVUzELMAkGA1UECAwCTkMxEDAOBgNVBAcMB1JhbGVpZ2gxDTALBgNVBAoM
BEV4dHIxDTALBgNVBAsMBEV4b3MxEDAOBgNVBAMMB0NBLUVYT1MxKjAoBgkqhkiG
9w0BCQEWG2NhLWV4b3NAZXh0cmVtZW5ldHdvcmtzLmNvbTAeFw0xNjEwMjAwNzEy
NDdaFw0xNzEwMjAwNzEyNDdaMIGIMQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMx
EDAOBgNVBAcMB1JhbGVpZ2gxDTALBgNVBAoMBEV4dHIxDTALBgNVBAsMBEV4b3Mx
EDAOBgNVBAMMB0NBLUVYT1MxKjAoBgkqhkiG9w0BCQEWG2NhLWV4b3NAZXh0cmVt
ZW5ldHdvcmtzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMNq
EbATraCk/udaYCbkR3xOG2ZfrhlgWDjpMQkHS12ggKb7/yEevM358Aof5OwGqx83
LWTWE3dHa+iB1doK4JYJtJy9X2rcXgRfX455qBxuuiljjNH4xlNAZtwhDPQ4xIFX
546x2cbiy8aygPT72i/gRT8VXLSSkAtsGIjERWegk9GInbtR09UeVUoxXabTP1OB
guKdJ7E0TgYuIFL9PTpdw52xYwKVN2c/+OSLMcfC/gg2qpWSeC+ICYOLlIcj9n3t
IHWHeRS3Dh2ByJPgEWzklzup9h80w2+UqOyeT20CNy40wQEkbhDKfcnJ8hJc7+Gy
0We78hWU6UtwEac1/WkCAwEAAaNdMFswHQYDVR0OBBYEFPsEvFIbkhyAjYHg1z4W
kVnQkBnYMB8GA1UdIwQYMBaAFPsEvFIbkhyAjYHg1z4WkVnQkBnYMAwGA1UdEwQF
MAMBAf8wCwYDVR0PBAQDAgLkMA0GCSqGSIb3DQEBCwUAA4IBAQA2hRqWSY+bUX2e
ws0xcgpYCLRYa4siN3HttuyWmDyPawMr+U3HgUCXEN/TJHlxhi/0IUhkpo5QCUCE
3jtVz/W8oyEAkhkI0c9/3+kBB/AuDrU9cf11v0yuvAFleDFIIa+2/Va/oPczYuIf
ZHkBsHC/m1fmdeyBT5I8cCe3Fz1ZtPTFCVWibnd1JuRvY5tgPw+gsAHP3l2Dt911
aFXAabFJFx8jFooCrq0/XO+YqfdYC3NYUf4PICTjKcfqNmax8da7ec6H5CKDnmPM
Ki9pRQEE/9Cjf0bvq9rKBq3uQBsVOfjbtkdFEYOM5FRZdX5BzlT+BINOMNtq1iNN
ZhdE3X9J
-----END CERTIFICATE-----

The next steps are to create a X509v3 certificate for a user that is signed by the above generated CA certificate "exosCAcert.crt".

In the following command, a user certificate signing request with RSA 2048 bit key, commonName as "exos-admin" is generated:

$ openssl req -nodes -days 365 -newkey rsa:2048 -new -subj "/C=US/ST=NC/L=Raleigh/O=Extr/OU=Exos/CN=exos-admin/emailAddress=exos-admin@extremenetworks.com" -keyout exos-admin-key.pem -out exos-admin-req.csr
Generating a 2048 bit RSA private key
.............................................+++
......................................+++
writing new private key to 'exos-admin-key.pem'
In the following command, the user certificate-signing-request that was generated in the preceding command is being signed using the CA certificate "exosCAcert.crt":
$ openssl ca -config openssl.cnf -extensions usr_cert -days 365 -keyfile exosCAkey.pem -cert exosCAcert.crt -in exos-admin-req.csr -out exos-admin-cert.crt
Using configuration from openssl_A.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Oct 20 07:39:04 2016 GMT
            Not After : Oct 20 07:39:04 2017 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = NC
            organizationName          = Extr
            organizationalUnitName    = Exos
            commonName                = exos-admin
            emailAddress              = exos-admin@extremenetworks.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Key Identifier:
                EE:A8:8F:6D:00:CA:93:57:22:E6:1F:DF:43:B4:91:E9:DE:B8:9F:D3
            X509v3 Authority Key Identifier:
                keyid:FB:04:BC:52:1B:92:1C:80:8D:81:E0:D7:3E:16:91:59:D0:90:19:D8
                DirName:/C=US/ST=NC/L=Raleigh/O=Extr/OU=Exos/CN=CA-EXOS/emailAddress=ca-exos@extremenetworks.com
                serial:F1:4D:FE:E9:6F:E3:B8:6F

            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, E-mail Protection
            Authority Information Access:
                OCSP - URI:http://ocspserver.extremenetworks.com:2561

Certificate is to be certified until Oct 20 07:39:04 2017 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
9037555-00 Rev AA