Create a digital certificate with OpenSSL

 

+

Search Tips   |   Advanced Search

 

You can use the OpenSSL program to create digital certificates for use with tests.

To create a digital certificate with OpenSSL:

1. Create a certificate authority (CA).

   For the purposes of testing, this CA takes the place of a recognized CA on the Internet, such as VeriSign. You use this CA to digitally sign each certificate to use for testing.

   1. Create a certificate request (CSR) file.

      The "subject" (-subj) describes the user of the certificate. Enter dummy values as shown.

      Set the password for the certificate to foobar.

      openssl req  \
              -passout pass:foobar  \
              -subj "/C=US/ST=IL/L=Chicago/O=IBM/OU=IBM Software Group/CN=RPT CA/emailAddress=rpt@abc.ibm.com"  \
              -new > waipio.ca.cert.csr
      

   2. Create a key file, waipio.ca.key, to store the private key.

      This removes the password protection from the certificate request file so that you do not have to type the password each time you sign a certificate. Because the password protection has been removed, use the certificate request file for testing purposes only.

      openssl rsa \
              -passin pass:foobar 
              -in privkey.pem 
              -out waipio.ca.key
      

   3. Create an X.509 digital certificate from the certificate request.

      Create a certificate signed with the CA private key. The certificate is valid for 365 days.

      openssl x509 \
              -in waipio.ca.cert.csr \ 
              -out waipio.ca.cert \ 
              -req -signkey waipio.ca.key \ 
              -days 365
      

   4. Create a PKCS#12-encoded file containing the certificate and private key.

      Set the password on the P12 file to default. Rational Performance Tester uses password of default for all PKCS#12 files by default.

      openssl pkcs12 \
              -passout pass:default \
              -export  \
              -nokeys  \
              -cacerts  \
              -in waipio.ca.cert  \
              -out waipio.ca.cert.p12 \
              -inkey waipio.ca.key
      
      

   You now have a CA certificate (waipio.ca.cert), which can be installed into the Web server under test and a private key file (waipio.ca.key) that you can use to sign user certificates.

2. Create a digital certificate for a user.

   1. Create a CSR file for the user. Set the initial password to abc. Optionally, provide an appropriate subject.

      openssl req \
              -passout pass:abc \
              -subj "/C=US/ST=IL/L=Chicago/O=IBM Corporation/OU=IBM Software Group/CN=John Smith/emailAddress=smith@abc.ibm.com" \
              -new > johnsmith.cert.csr
      

   2. Create a private key file without a password.

      openssl rsa \
              -passin pass:abc \
              -in privkey.pem \
              -out johnsmith.key
      

   3. Create a new X.509 certificate for the new user, digitally sign it using the user's private key, and certify it using the CA private key.

      Create a certificate which is valid for 365 days.

      openssl x509 \ 
              -req \
              -in johnsmith.cert.csr  \
              -out johnsmith.cert  \
              -signkey johnsmith.key \
              -CA waipio.ca.cert  \
              -CAkey waipio.ca.key  \
              -CAcreateserial  \
              -days 365
      

   4. Optional: Create a DER-encoded version of the public key. This file contains only the public key, not the private key. Because it does not contain the private key, it can be shared, and does not need to be password protected.

      openssl x509 \
              -in johnsmith.cert \
              -out johnsmith.cert.der \
              -outform DER
      

   5. Create a PKCS#12-encoded file.

      Set the password on the P12 file to default.

      openssl pkcs12  \ 
              -passout pass:default  \ 
              -export  \ 
              -in johnsmith.cert  \ 
              -out johnsmith.cert.p12  \ 
              -inkey johnsmith.key
      

   Repeat this step to create as many digital certificates as needed for testing. Keep the key files secure, and delete them when they are no longer needed. Do not delete the CA private key file. You need the CA private key file to sign certificates.

Results

Now you can install the CA certificate (waipio.ca.cert) into WebSphere. Optionally, create a user certificate specifically for web server, and install it into WebSphere.

You can use user certificates individually to record tests.

To use the user certificates (johnsmith.cert.p12) during test editing and playback, compress them in ZIP format to a file with the .rcs extension. This creates a digital certificate store.

To learn more digital certificate stores, see Create a digital certificate store. You can also import user certificates into Web browser to interactively test them in environment.

Related

Digital certificate creation overview

Entrust TruePass authentication overview

Create a digital certificate store

Record a test with digital certificates

Play back a test with a digital certificate