2,039 bytes added ,  20:52, 14 September 2022
Added details for work in progress.
(Adding creating S/MIMEs)
(Added details for work in progress.)
Line 14: Line 14:
This is how to create a self-signed S/MIME certificate, used for email encryption and decryption in an email client.
This is how to create a self-signed S/MIME certificate, used for email encryption and decryption in an email client.


First, generate your new key:
First, generate your new key for the sender:
<pre>$ openssl genrsa -out smime.key 2048</pre>
<pre>$ openssl genrsa -out smime.key 2048</pre>
Then create a [[Certificate Signing Request]]:
Then create a [[Certificate Signing Request]]:
Line 39: Line 39:
</pre>
</pre>
Then sign the [[Certificate Signing Request|CSR]] using your own [[Certificate Authority]].
Then sign the [[Certificate Signing Request|CSR]] using your own [[Certificate Authority]].
$ openssl x509 -req -days 730 -in csr/smime.csr -CA certs/intermediate.crt -CAkey private/intermediate.key -set_serial 1 -out ../smime/smime.crt
<pre>$ openssl x509 -req -days 730 -in csr/smime.csr -CA certs/intermediate.crt -CAkey private/intermediate.key -set_serial 1 -out ../smime/smime.crt</pre>


T.B.C....
Then the receiver needs to create a key and a certificate signing request. This is their server.
<pre>$ openssl genrsa -out sender-smime.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
........................................................................................+++++
........+++++
 
Then create the Certificate Request using the new key
 
<pre>
$ openssl req -new -key sender-smime.key -out sender-smime.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:London
Locality Name (eg, city) []:LONDON
Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Grantchester
Organizational Unit Name (eg, section) []:Grantchester HostCo
Common Name (e.g. server FQDN or YOUR name) []:William Palfreman
Email Address []:william.palfreman@grantchester.ac.uk
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
</pre>
The creates a certificate request (CSR) which isn't confidential but I won't list here. Take that CSR to your Certificate Authority (CA) and issue the certificate
<pre>
$ openssl x509 -req -days 365 -in csr/grant.csr -CA certs/intermediate.crt -CAkey private/intermediate.key -out grant.crt
Certificate request self-signature ok
subject=C = GB, ST = London, L = LONDON, O = University of Granchester, OU = HostCo, CN = William Palfreman, emailAddress = william.palfreman@grantchester.ac.uk
Enter pass phrase for private/intermediate.key:</pre>
 
Then pass the receiver sender certificate back to the sending server.
 
[Next, details about the openssl pipeline to sign and encrypt the smime attachment.]