Home

---

Ein sogenanntes ROOT-Zertifikat bildet das Rückgrat von Serverzertifikaten und wird in beispielsweise auf Windows in den vertrauenswürdigen Stammzertifizierungsstellen abgelegt. Dies dient der späteren Authenzifizierung von beispielsweise Serverzertifikaten, sodass im Browser das Serverzertifikat als vertrauenswürdig angesehen wird.

openssl.conf

[ req ]
default_bits        = 2048
default_md          = sha256
default_keyfile     = rootCA.key
distinguished_name  = req_distinguished_name
x509_extensions     = v3_ca
req_extensions      = v3_req
string_mask         = utf8only
 
[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = AT
countryName_min                 = 2
countryName_max                 = 2
 
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Universe
 
localityName                    = Locality Name (eg, city)
localityName_default            = Milkiway
 
organizationName                = Organization Name (eg, company)
organizationName_default        = g.raf engineering
 
organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Department of Network and Data Science
 
commonName                      = Common Name (eg, YOUR name)
commonName_default              = aaa.sunriax.local
commonName_max                  = 64
 
emailAddress                    = Email Address
emailAddress_default            = your@mail.com
emailAddress_max                = 64
 
[ v3_ca ]
 
subjectKeyIdentifier     = hash
authorityKeyIdentifier   = keyid:always,issuer:always
basicConstraints         = critical, CA:true, pathlen:0
keyUsage                 = critical, digitalSignature, cRLSign, keyCertSign
 
[ v3_req ]
 
subjectKeyIdentifier     = hash
basicConstraints         = critical, CA:false
keyUsage                 = digitalSignature, nonRepudiation, keyEncipherment
extendedKeyUsage         = serverAuth
subjectAltName           = @alternate_names
 
[ alternate_names ]
 
DNS.1       = aaa.sunriax.local
DNS.2       = 192.168.0.1
#DNS.3      = ...
#IP.1       = 192.168.0.1
#IP.2       = ...

openssl genrsa -des3 -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt -config openssl.conf

---

Home