OpenSSL CA: make a certificate signing request work on Arch Linux
#edit /etc/ssl/openssl.cnf
Find [ ca ] and make sure this matches:
#################################################################### [ ca ] default_ca = CA_default #default ca section #################################################################### [ CA_default ] dir = /etc/ssl # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of # several certs with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key email_in_dn = no serial = $dir/serial # serial no file rand_serial = yes # for random serial#'s
I generated a CA with
openssl genrsa -aes256 -out root_ca_key 16384 openssl req -x509 -new -nodes -key root_ca_key -sha3-512 -days 3650 -out root_ca.crt
Then did a cert signing request with (needs write permissions to various /etc/ssl/ directories)
openssl ca -extensions v3_ca -days 3650 -notext -md sha3-512 -cert root_ca.crt -keyfile root_ca_key -in intermediate_ca.csr -out intermediate_ca.cer -outdir /home/grassyloki/openssl/
Note: Country Name, State or Province Name, Locality Name, and Organization Name all need to match. Make sure to change the home folder to match your username.
