Creating a Sample CA Certificate (Configuring Java CAPS for SSL Support)

Configuring Java CAPS for SSL Support

Creating a Sample CA Certificate

The sample given in this section demonstrates the use of the OpenSSL utility to create a CA. This generated CA is then used to sign a CSR (see Signing Certificates With Your Own CA), whether it is generated from keytool or OpenSSL.

To Create a Sample CA Certificate

For testing purposes, a sample CA can be generated. To avoid spending additional funds to have a commercial CA sign test certificates, a sample is generated and used to sign the test certificate.

Perform the following operations from the command line:

openssl  req  -config c:\openssl\bin\openssl.cnf 
 -new  -x509  -keyout  ca-key.pem.txt -out  ca-certificate.pem.txt  -days  365

Using properties from c:\openssl\bin\openssl.cnf
Loading ’screen’ into random state: done
Generating a 1024 bit RSA private key
.................++++++
.....................++++++
writing new private key to ’ca-key.pem.txt’
Enter PEM pass phrase:
Verifying password: Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be 
    incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name 
    or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ’.’, the field will be left blank.
-----
Country Name (2 letter code) []:US
State or Province Name (full name) []:California
Locality Name (eg, city) []:Monrovia
Organization Name (eg, company) []:Sun
Organizational Unit Name (eg, section) []:Development
Common Name (eg, your websites domain name) []
    :development.sun.com
Email Address []:development@sun.com

You are prompted for password information.

Enter a password and remember this password for signing certificates with the CA’s private key.

This command creates a private key and the corresponding certificate for the CA. The certificate is valid for 365 days starting from the date and time it was created.

The properties file C:\openssl\bin\openssl.cnf is needed for the req command. The default config.cnf file is in the OpenSSL package under the apps sub-directory.

Note –
To use this file in Windows, you must change the paths to use double back-slashes. See Windows OpenSSL.cnf File Example for a complete Config.cnf file example, which is known to work in a Windows environment.