320
edits
(Adding creating S/MIMEs) |
(Added details for work in progress.) |
||
Line 14: | Line 14: | ||
This is how to create a self-signed S/MIME certificate, used for email encryption and decryption in an email client. | This is how to create a self-signed S/MIME certificate, used for email encryption and decryption in an email client. | ||
First, generate your new key: | First, generate your new key for the sender: | ||
<pre>$ openssl genrsa -out smime.key 2048</pre> | <pre>$ openssl genrsa -out smime.key 2048</pre> | ||
Then create a [[Certificate Signing Request]]: | Then create a [[Certificate Signing Request]]: | ||
Line 39: | Line 39: | ||
</pre> | </pre> | ||
Then sign the [[Certificate Signing Request|CSR]] using your own [[Certificate Authority]]. | Then sign the [[Certificate Signing Request|CSR]] using your own [[Certificate Authority]]. | ||
$ openssl x509 -req -days 730 -in csr/smime.csr -CA certs/intermediate.crt -CAkey private/intermediate.key -set_serial 1 -out ../smime/smime.crt | <pre>$ openssl x509 -req -days 730 -in csr/smime.csr -CA certs/intermediate.crt -CAkey private/intermediate.key -set_serial 1 -out ../smime/smime.crt</pre> | ||
Then the receiver needs to create a key and a certificate signing request. This is their server. | |||
<pre>$ openssl genrsa -out sender-smime.key 2048 | |||
Generating RSA private key, 2048 bit long modulus (2 primes) | |||
........................................................................................+++++ | |||
........+++++ | |||
Then create the Certificate Request using the new key | |||
<pre> | |||
$ openssl req -new -key sender-smime.key -out sender-smime.csr | |||
You are about to be asked to enter information that will be incorporated | |||
into your certificate request. | |||
What you are about to enter is what is called a Distinguished Name or a DN. | |||
There are quite a few fields but you can leave some blank | |||
For some fields there will be a default value, | |||
If you enter '.', the field will be left blank. | |||
----- | |||
Country Name (2 letter code) [AU]:GB | |||
State or Province Name (full name) [Some-State]:London | |||
Locality Name (eg, city) []:LONDON | |||
Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Grantchester | |||
Organizational Unit Name (eg, section) []:Grantchester HostCo | |||
Common Name (e.g. server FQDN or YOUR name) []:William Palfreman | |||
Email Address []:william.palfreman@grantchester.ac.uk | |||
Please enter the following 'extra' attributes | |||
to be sent with your certificate request | |||
A challenge password []: | |||
An optional company name []: | |||
</pre> | |||
The creates a certificate request (CSR) which isn't confidential but I won't list here. Take that CSR to your Certificate Authority (CA) and issue the certificate | |||
<pre> | |||
$ openssl x509 -req -days 365 -in csr/grant.csr -CA certs/intermediate.crt -CAkey private/intermediate.key -out grant.crt | |||
Certificate request self-signature ok | |||
subject=C = GB, ST = London, L = LONDON, O = University of Granchester, OU = HostCo, CN = William Palfreman, emailAddress = william.palfreman@grantchester.ac.uk | |||
Enter pass phrase for private/intermediate.key:</pre> | |||
Then pass the receiver sender certificate back to the sending server. | |||
[Next, details about the openssl pipeline to sign and encrypt the smime attachment.] |