Step 2: Create the server's certificate and private key
The server's certificate identifies the server as trusted by any client that connects to it.
- Create the server's serial file:
$ echo 01 > MyServer.srl - Create the server's Certificate Signing Request and private
key:
$ openssl req -new -out MyServer.csrFollow the instructions to create the CSR. This command creates a pem file containing the private key of the CSR. The key is encrypted, so you are prompted for a passphrase for it. You will be prompted to identify the subject or issuer of the certificate – to provide a Distinguishing Name (DN) for the certificate – in a series of prompts. These are examples of what the prompts will look like:Country Name (2 letter code) [AU]:FR State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []:. Organization Name (eg, company) [Internet Widgits Pty Ltd]:. Organizational Unit Name (eg, section) []:. Common Name (e.g. server FQDN or YOUR name) []: Email Address []:.
By default, openssl outputs the private key in the privkey.pem file.
- Remove the password from the private
key:
$ openssl rsa -in privkey.pem -out MyServer.pemThe key is also renamed MyServer.pem.
- Create the server's certificate from the CSR that is signed by the private key created in Step 1: Create the root certificate authority:
$ openssl x509 -in MyServer.csr -out MyServer.crt -req -CA MyCompanyCA.crt -CAkey MyCompanyCA.pem
The purpose of the server's Certificate is to identify the server to any client that connects to it. Therefore, the subject of that server's certificate must match the host name of the server as it is known on the network; otherwise, the client will not trust the server's identity and the communication is stopped. For instance, if the URL of the server is https://www.MyServer.com/fastcgi/ws/r/MyWebService, the subject must be www.MyServer.com.
In the next step we create the server's certificate authority list, Step 3: Create the server's certificate authority list.