Create your own certification center
Creating a CA private key
- Create a root (self-signed) certificate from our private certificate. Go to the directory where the database is stored for our certificates and start generating.
- Create a private key CA (my own Certificate Authority). RSA key length of 2048 bits encryption algorithm 3DES. File name with a key - cambium-ca.key
openssl genrsa -des3 -out cambium-ca.key 2048 Generating RSA private key, 2048 bit long modulus ...................... + + + ........... + + + e is 65537 (0x10001) Enter pass phrase for cambium.key: Verifying - Enter pass phrase for cambium-ca.key:
- While creating the private key, you must enter a passphrase, which will be closed by key (and confirmed). The Content of the key can viewed from the following command:
openssl rsa –noout –text -in cambium-ca.key
In this case you must enter the private key again.
Creating a CA certificate
- Generate a self-signed certificate CA:
openssl req –new -x509 -days 3650 -key cambium-ca.key -out cambium-ca.crt
- Enter pass phrase for cambium.key:
You are asked to enter information that will be incorporated into your certificate request.
What you enter is called a Distinguished Name or a DN. If you enter '.', field is left blank.
-----
Country Name (2 letter country code)
State or Province Name (full name)
Locality Name (Ex. City)
Organization Name (Ex, Cambium Networks)
Organizational Unit Name (Ex. Cambium)
Common Name (Ex. cambium root CA)
Email Address (Ex. admin@cambium.com)
- Generating the certificate, you must enter a passphrase, with a closed key CA, and then - to fill in the required fields (company name, email, etc.); the most important of these is the Common Name - the unique name of the certification center.
In this case, as the Common name was chosen "cambium root CA", view the resulting certificate command as shown below:
openssl x509 –noout –text -in cambium-ca.crt
As a result, we see:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ea: 30:7 b: 69 : a2: 13:0 c: 70
Signature Algorithm: md5WithRSAEncryption
Issuer: C = UA, ST = Euro, L = Kiev, O = Cambium Networks, OU = Cambium,
CN = cambium root CA / email address = admin@cambium.com
# Issued to (by us, that is self-signed)
Validity
Not Before: Dec 9, 2005 11:34:29 GMT
Not After: Dec 7, 2015 11:34:29 GMT
# Validity of the certificate
Subject: C = UA, ST = Euro, L = Kiev, O = Cambium Networks, OU = Cambium,
CN = cambium root CA / email address = admin@cambium.com
# Filter (field) certificate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00: c0: ff: 50 : fd: a8: eb: 07:9 b: 17 : d1: a9: e2: a5: dc:
59: a7: 97:28:9 f: bc: a4: 01:16:45:37: f5: 8d: ca: 1e:
12: ca: 25:02:8 a: cf: ee: ae: 35:59: ed: 57:89: c7: 2b:
17:9 f: 8b: de: 60 : db: e5: eb: b3: de: 09:30:3 b: a9: 68:
40: f7: f8: 84 : f4: 6c: b2: 24:3 d: ed: 45 : a3: 8a: 66:99:
40: a9: 53:0 c: 75 : e3: df: f3: ef: 20:0 c: a6: 3f: f2: dd:
e9: 1c: f5: d1: c1: 32:4 c: 44 : fd: c1: a2: d9: e6: e0: dc:
04:0 c: f8: dd: 9e: 31 : aa: 9d: 60 : b0: 84 : d2: e0: b7: a5:
eb: 82:31:4 f: 71 : c4: ee: ab: 5c: 8e: ef: 8c: a1: 1a: 2a:
62: e9: e9: 36 : ff: 12 : b9: c9: ac: 0e: 4d: ac: 08:97:87:
d2: 30:2 f: 41 : a1: 9e: ef: 8b: bf: c6: cf: 66:70:02: ab:
2d: b0: 9c: 56 : b8: 13 : e8: 92:59: f5: d9: 33 : d7: 33:6 a:
7c: cb: 9b: 92 : ee: 4b: 22:32:73:59:70:3 f: b1: f6: 1b:
67:1 d: 28 : eb: bb: 4b: 5e: 61:95:43:78: d5: 3b: db: e1:
37 : f1: ec: 0d: db: 50:65:22: cb: f4: f9: b8: 2a: c6: 1f:
2b: e9: f8: 64:03:4 f: 36 : dc: 72:8 e: be: 3d: 12:8 a: ca:
8b: 95
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
4C: 80 : F5: 82:4 C: A4: 52 : DF: 9E: 0C: 0D: 64:74:68:1 E: 45 : F6: C1: C7: 68
X509v3 Authority Key Identifier:
keyid: 4C: 80 : F5: 82:4 C: A4: 52 : DF: 9E: 0C: 0D: 64:74:68:1 E: 45 : F6: C1: C7: 68
DirName :/ C = UA / ST = Euro / L = Kiev / O = Cambium Networks / OU = Cambium /
CN = cambium root CA / emailAddress = admin@cambium.com
serial: EA: 30:7 B: 69 : A2: 13:0 C: 70
X509v3 Basic Constraints:
CA: TUAE
Signature Algorithm: md5WithRSAEncryption
57 : db: 0d: 2b: 27 : eb: 0a: 97:7 f: b1: 37 : b3: d1: d7: 14 : a6: 80:66:
3d: 7c: 00:4 a: 45:1 f: 7c: 2b: 5e: 30 : b2: 72:74:9 f: 6d: 33:82: f7:
f7: de: 54 : a9: 2b: e7: ea: 1b: 93 : bd: cc: 74:4 f: 11 : ed: 94:0 b: b9:
b2: 1f: b1: 86:6 e: c6: 48:71:48:9 b: 2b: 0a: 36 : f3: ab: d6: f9: 75 :
c9: 0d: 1b: e9: 2c: 85:04: fc: 17:9 a: 94 : b9: 14:0 d: 15 : d1: 1e: 8b:
bb: 9e: 91 : ca: 40:8 c: d8: ef: dd: 4a: 75 : d0: b9: 62 : d4: ee: 1b: e5:
b5: 7e: fa: f1: 5d: 62 : d1: 78 : b0: 34:04: bb: 60:37:8 a: a8: 74:88:
f6: 94:3 b: c8: fb: c0: 98 : f4: 94 : e9: d5: 53:8 e: 31 : e6: 25:56: c3:
84:7 c: 46 : b9: 09:5 f: e3: 43 : a8: 57 : c9: 3a: d9: 3d: a7: b0: 41 : db:
ea: ca: 60:28:0 b: a3: f0: 0b: e6: d6: c0: 5b: 15:0 c: f8: 19:36:26:
d3: 2a: 8d: c9: 67 : fe: 04:6 f: e9: bf: f9: 55 : de: 2c: 92:04:81:6 f:
43 : d5: 94:25: af: 83 : b8: 01:22: c8: 1a: 7e: 2e: a9: 10 : b0: e5: 35 :
a7: 17 : bf: 65 : a1: 31:55:85: ba: 10:24:71:03:3 b: d6: 71 : a4: ad:
48:28:46:8 f: 7e: e6: b3: 8c: 37:97:4 f: 36:05:8 c: f6: d1: 40 : a8:
c4: 58:9 b: 28
- Now copy the certificate and key of the CA in a public place, for example, in /etc/ssl/cambium:
mkdir /etc /ssl /cambium cp cambium-ca. * /etc/ssl/cambium/
Issuance of certificates
Script certificate generation
- Download (from the Cambium support web-site listed under "Certificate generation script")the script sign_cert.sh. It allows you to create server/user.
- Edit the following lines:
ROOTCA = "cambium" root CA name - Filename of the root certificate (without the suffix '-ca') O = "Cambium Networks" - Name of the organization C = "UA" - country ST = "Euro" - staff L = "Kiev" - city OU = "Cambium" - unit EMAIL = email@cambium.com - email BITS = 2048 - Size of the generated key in bits CLIENT_DAYS = 730 - Client certificate validity period in days SERVER_DAYS = 1461 - Server certificate validity period in days
Lines related to the country, city, department, email, etc must be fixed (though not necessarily, this is default values that can be changed in the process of creating the certificate). Variables related to the terms of validity of the certificate can be left without changes.
Creating a server certificate (for RADIUS)
- Create a server certificate (option cerver_cert), file name (and certificate) radius.cambium.com
. / sign_cert.sh server_cert radius.cambium.com create certificate key: radius.cambium.com.key Generating RSA private key, 2048 bit long modulus ....... + + + .................................. + + + e is 65537 (0x10001)
# Enter the password which will close the key
Enter pass phrase for radius.cambium.com.key: Verifying - Enter pass phrase for radius.cambium.com.key: decrypt certificate key: radius.cambium.com.crt Enter pass phrase for radius.cambium.com.key: writing RSA key
# Create a certificate request
Create certificate request: radius.cambium.com.csr
. / sign_cert.sh radius.cambium.com server_cert
You are asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. If you enter '.', the field will be left blank.
- Then you must specify the fields you want, like for the root certificate. Default values have already populated in square brackets. To use them simply click ENTER.
- Your Country Name (2 letter country code):
- State or Province Name (full name):
- Locality Name (Ex.- city)
- Organization Name (Ex.- Cambium Networks):
- Organizational Unit Name (Ex.- Cambium):
- Common Name (Ex.- radius.cambium.com):
- Email Address (Ex.- email@cambium.com):
# Sign the certificate request
sign certificate by CA: radius.cambium.com.crt sign ca is: cambium-ca CA signing: radius.cambium.com.csr -> radius.cambium.com.crt: Using configuration from ca.config
- Since we sign new created certificate with root certificate, we must enter the password which we used to close root certificate of our center CA
Enter pass phrase for. /.. / cambium-ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName: PRINTABLE: 'UA' stateOrProvinceName: PRINTABLE: 'Euro' localityName: PRINTABLE: 'Kiev' organizationName: PRINTABLE: 'Cambium Networks' organizationalUnitName: PRINTABLE: 'Cambium' commonName: T61STRING: 'radius.cambium.com' emailAddress: IA5STRING: 'email@cambium.com' Certificate is to be certified until Dec 25 12:05:18 2013 GMT (730 days) Everything is OK, completing work
Server certificate is created.