crlDistributionPoints = URI:http://www.projectcolo.org.uk/ca/colo.crl
to the usr_cert section in case anything actually uses it.
mkdir coloCA
mkdir coloCA/certs
mkdir coloCA/crl
mkdir coloCA/newcerts
mkdir coloCA/private
echo 01 > coloCA/serial
touch coloCA/index.txt
openssl req -config ./openssl.cnf -new -x509 -keyout coloCA/private/cakey.pem -out coloCA/cacert.pem -days 730
entering the name details requested.
openssl ca -config ./openssl.cnf -gencrl -out coloCA/colo.crl.pem
openssl x509 -in coloCA/cacert.pem -outform DER -out coloCA/cacert.crt openssl crl -in coloCA/colo.crl.pem -outform DER -out coloCA/colo.crl
openssl x509 -fingerprint -noout -in cacert.pem -sha1 openssl x509 -fingerprint -noout -in cacert.pem -md5 gpg -a --clearsign -o fingerprint
(and copy in the fingerprints).
Simply:
openssl ca -config ./openssl.cnf -policy policy_anything -out cert.pem -infiles req.pem
The same request can be used to produce a new certificate later when the
period of validity is coming to an end (although you might want the keys to
change after a while, and so ask for a new certificate request). If the
previous certificate has not yet expired, OpenSSL will refuse to create a
new certificate. This can be worked around by marking the previous one
expired in the CA database by changing the V to an E in
coloCA/index.html.
RFC 3280 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. R. Housley, W. Polk, W. Ford, D. Solo. April 2002. (Format: TXT=295556 bytes) (Obsoletes RFC2459) (Status: PROPOSED STANDARD)