2

I want to create a self signed certificate with RSA algorithm keysize 2048 with subject key identifier. I know we made some some default change in openssl.conf. What i suppose to change?

genrsa -des3 -out mcedt.key 2048
req -new -key mcedt.key -out mcedt.csr
CN = server.test , OU =, O =, L = Toronto, S = ontario , C = can
x509 -req -days 365 -in mcedt.csr -signkey mcedt.key -out mcedt.crt
pkcs12 -export -in mcedt.crt -inkey mcedt.key -out mcedt.pfx
jww
  • 97,681
  • 90
  • 411
  • 885
Madhavan
  • 232
  • 1
  • 7
  • 15
  • Hello, I see you've been working with MCEDT. Did you get it to work properly? – Alex Terreaux May 26 '14 at 21:01
  • Possible duplicate of [How to create a self-signed certificate with openssl?](http://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl). Ensure `subjectKeyIdentifier = hash` is in the `[x509_ext]` area of the CONF file. You should include an authority key identifier, too. For that, `authorityKeyIdentifier = keyid,issuer`. – jww May 06 '15 at 07:30

1 Answers1

7

You could create an extension file (extensions.cnf) with the following information:

subjectKeyIdentifier=hash

as mentioned by OpenSSL :

This is really a string extension and can take two possible values. Either the word hash which will automatically follow the guidelines in RFC3280 or a hex string giving the extension value to include. The use of the hex string is strongly discouraged.

Then you should change 

x509 -req -days 365 -in mcedt.csr -signkey mcedt.key -out mcedt.crt

into

x509 -req -days 365 -extfile extensions.cnf -in mcedt.csr -signkey mcedt.key -out mcedt.crt
Camille G.
  • 3,058
  • 1
  • 25
  • 41
  • hi, by default in OpenSSL.conf file having the extension. isn't it? – Madhavan Jan 18 '14 at 05:42
  • Yes you could use the default one from OpenSSL and uncomment/modify what you need as extension then pass its path as the filename. But I suggest you better to have your own or a copy of the OpenSSL one. – Camille G. Jan 20 '14 at 09:02
  • 1
    BTW if it works just accept the answer so that other people will know that its working :) – Camille G. Jan 20 '14 at 10:04