1. Create a certificate request configuration file
Cert_req.conf
**************************************** ********
[ req ]default_bits = 2048default_keyfile = keystonekey.pemdefault_md = defaultprompt = nodistinguished_name = Distiguished_name[ Distiguished_name ]
countryName = CN
stateOrProvinceName = BJ
localityName = Beijing
organizationName = example
organizationalUnitName = example
commonName = Keystone Signing
emailAddress = [email protected]
**************************************** ********
2. Generate the private key and CSR (Certificate Signing Request). Note that the private key cannot be encrypted (-nodes option). The private key is signing_key.pem, And the CSR is signing_cert_req.pem.
$ openssl req -newkey rsa:2048 -nodes-keyout signing_key.pem -keyform PEM -out signing_cert_req.pem -outform PEM -config cert_req.conf \
3. Send the generated CSR to the CA and request our certificate.
We use cacert to generate a certificate, which is only used in the experiment environment and is saved as signing_cert.pem.
4. Obtain the CA certificate to build a certificate trust chain
Here we use the certificate from cacert and save it as: ca_cert.pem
Create your own PKI public/private key pairs and Public Key Certificates