----------------------------------------------------------------------- $ certtool --generate-privkey --outfile ca-key.pem Generating a 2048 bit RSA private key... ----------------------------------------------------------------------- $ certtool --generate-self-signed --load-privkey ca-key.pem \ --outfile ca-cert.pem Generating a self signed certificate... Please enter the details of the certificate's distinguished name. Just press enter to ignore a field. Common name: UID: Organizational unit name: TestOU Organization name: TestOrg Locality name: State or province name: Country name (2 chars): BE Enter the subject's domain component (DC): This field should not be used in new certificates. E-mail: Enter the certificate's serial number in decimal (default: 6144998637983393713): Activation/Expiration time. The certificate will expire in (days): 3650 Extensions. Does the certificate belong to an authority? (y/N): y Path length constraint (decimal, -1 for no constraint): Is this a TLS web client certificate? (y/N): Will the certificate be used for IPsec IKE operations? (y/N): Is this a TLS web server certificate? (y/N): Enter a dnsName of the subject of the certificate: CA_SELF-SIGNED Enter a dnsName of the subject of the certificate: Enter a URI of the subject of the certificate: Enter the IP address of the subject of the certificate: Enter the e-mail of the subject of the certificate: Will the certificate be used to sign other certificates? (y/N): y Will the certificate be used to sign CRLs? (y/N): y Will the certificate be used to sign code? (y/N): y Will the certificate be used to sign OCSP requests? (y/N): y Will the certificate be used for time stamping? (y/N): Enter the URI of the CRL distribution point: X.509 Certificate Information: Version: 3 Serial Number (hex): 55476bb4224267b1 Validity: Not Before: Mon May 04 12:53:09 UTC 2015 Not After: Thu May 01 12:53:12 UTC 2025 Subject: OU=TestOU,O=TestOrg,C=BE Subject Public Key Algorithm: RSA Algorithm Security Level: Medium (2048 bits) Modulus (bits 2048): 00:e1:e1:68:5e:81:1d:45:c6:87:5a:e0:74:53:da:a9 92:ba:45:f1:ac:91:77:25:3f:03:3f:bd:6e:ce:8e:a1 75:57:a2:73:b2:d8:c0:8d:b8:19:85:3d:09:d0:2c:8a 5a:e7:22:ef:96:7c:1e:7b:2b:b2:ed:bb:55:a6:76:5c 2e:41:23:b1:aa:9e:a6:b2:e6:25:56:6b:f4:de:9e:21 55:c6:e0:d4:f6:94:3b:cf:2a:8f:9e:73:38:ef:c0:1c 39:1e:38:38:04:d6:a0:87:10:0c:ed:7c:28:ed:52:12 9a:a4:08:3f:5e:9e:6d:5e:6e:62:21:45:f8:37:83:8d 76:56:c0:ae:4d:c9:44:9a:6b:f9:c2:fa:af:33:da:47 b2:92:d0:f3:0b:fd:61:52:b1:db:e5:40:50:09:d4:3c f7:18:2b:cb:2c:45:43:a3:9f:eb:1a:7b:ff:65:33:fb 51:a2:d5:d0:5d:58:47:14:5a:96:c0:82:f7:bb:c6:04 eb:db:ea:76:0e:d6:f6:04:2a:df:49:b2:18:ae:5e:a9 d4:b3:b8:29:70:40:4d:74:ee:08:01:ad:ad:9b:75:ff 1c:37:5b:82:e4:29:85:94:f0:43:eb:13:ef:b2:13:e9 d3:d2:14:64:d9:8e:3a:2f:56:f6:96:ae:b4:e7:a3:ad 75 Exponent (bits 24): 01:00:01 Extensions: Basic Constraints (critical): Certificate Authority (CA): TRUE Subject Alternative Name (not critical): DNSname: CA_SELF-SIGNED Key Purpose (not critical): Code signing. OCSP signing. Key Usage (critical): Certificate signing. CRL signing. Subject Key Identifier (not critical): c4ab3630c4ceeb03bfa2ac3881d57d1877ad0870 Other Information: Public Key ID: c4ab3630c4ceeb03bfa2ac3881d57d1877ad0870 Public key's random art: +--[ RSA 2048]----+ | ..E . | | . .o.. . . | | .o. =oo . | | .+. o.o.. | |.. = .S | |o . + . | | . o. + | |+ ..o. . | |=+ .oo | +-----------------+ Is the above information ok? (y/N): y Signing certificate... ----------------------------------------------------------------------- $ certtool --generate-privkey --outfile server-key.pem Generating a 2048 bit RSA private key... ----------------------------------------------------------------------- $ certtool --generate-request --load-privkey server-key.pem \ --outfile server-request.pem Generating a PKCS #10 certificate request... Common name: Organizational unit name: Organization name: Locality name: State or province name: Country name (2 chars): Enter the subject's domain component (DC): UID: Enter a dnsName of the subject of the certificate: TEST_SERVER_CERT Enter a dnsName of the subject of the certificate: Enter a URI of the subject of the certificate: Enter the IP address of the subject of the certificate: Enter the e-mail of the subject of the certificate: Enter a challenge password: Does the certificate belong to an authority? (y/N): N Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n): Will the certificate be used for encryption (RSA ciphersuites)? (Y/n): Is this a TLS web client certificate? (y/N): Is this a TLS web server certificate? (y/N): y ----------------------------------------------------------------------- $ certtool --generate-certificate --load-request server-request.pem \ --outfile server-cert.pem --load-ca-certificate ca-cert.pem \ --load-ca-privkey ca-key.pem Generating a signed certificate... Enter the certificate's serial number in decimal (default: 6145000369163434374): Activation/Expiration time. The certificate will expire in (days): 3650 Extensions. Do you want to honour the extensions from the request? (y/N): Does the certificate belong to an authority? (y/N): N Is this a TLS web client certificate? (y/N): Will the certificate be used for IPsec IKE operations? (y/N): Is this a TLS web server certificate? (y/N): y Enter a dnsName of the subject of the certificate: TEST_SERVER_CERT Enter a dnsName of the subject of the certificate: Enter a URI of the subject of the certificate: Enter the IP address of the subject of the certificate: Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n): Will the certificate be used for encryption (RSA ciphersuites)? (Y/n): X.509 Certificate Information: Version: 3 Serial Number (hex): 55476d4734a17986 Validity: Not Before: Mon May 04 12:59:52 UTC 2015 Not After: Thu May 01 12:59:57 UTC 2025 Subject: Subject Public Key Algorithm: RSA Algorithm Security Level: Medium (2048 bits) Modulus (bits 2048): 00:c1:23:25:9e:21:80:aa:da:c3:f0:b7:59:97:8e:14 b1:33:7a:d6:7a:03:b0:da:3d:be:fb:0a:07:b4:b5:58 3c:07:7d:b9:91:ec:38:ef:01:65:05:c4:fb:07:6f:16 cd:1a:e5:cb:02:ab:74:00:cc:c7:24:66:12:e9:9e:fa c0:a0:0d:2a:f8:ef:9e:a7:10:17:a7:22:85:06:4d:69 45:9e:a5:7a:71:ad:37:d2:97:21:c8:33:26:8e:dd:99 8e:a8:6d:81:f2:7b:84:f3:45:a6:77:c8:a1:06:03:c3 8e:e9:b6:5a:98:a0:d9:e0:96:fb:29:98:67:0f:51:78 85:85:0a:c4:88:79:a1:72:37:83:b9:0b:5b:70:5b:58 b4:50:00:89:07:83:fe:b4:83:57:27:ac:31:ff:ce:7e d4:10:45:96:58:59:6d:66:0b:8f:db:e3:60:e2:2a:d9 0d:44:51:cc:c4:8b:26:c4:6f:86:b3:cc:61:b7:f5:da 00:1b:3b:ea:a8:fa:31:0c:87:12:ea:ed:cd:b4:01:22 ee:28:5e:a7:8c:34:88:61:04:b8:98:63:bc:aa:8c:17 a5:87:12:33:fa:31:dc:46:80:07:c3:47:12:10:ac:33 79:44:f5:fa:17:c2:3f:63:ae:d7:50:fd:02:ac:17:0c 29 Exponent (bits 24): 01:00:01 Extensions: Basic Constraints (critical): Certificate Authority (CA): FALSE Subject Alternative Name (not critical): DNSname: TEST_SERVER_CERT Key Purpose (not critical): TLS WWW Server. Key Usage (critical): Digital signature. Key encipherment. Subject Key Identifier (not critical): bb03933d1e2ccbb32fffb2aa82d3a904e8c84f22 Authority Key Identifier (not critical): c4ab3630c4ceeb03bfa2ac3881d57d1877ad0870 Other Information: Public Key ID: bb03933d1e2ccbb32fffb2aa82d3a904e8c84f22 Public key's random art: +--[ RSA 2048]----+ | | | | | | |. | |o +S | |= = =. | |EB o . *.o | |= B = +. | |.o o..oB==. | +-----------------+ Is the above information ok? (y/N): y Signing certificate... ----------------------------------------------------------------------- $ gnutls-serv --priority=NORMAL -p 9000 \ --x509cafile=/export/security/gnutls/ca-cert.pem \ --x509certfile=/export/security/gnutls/server-cert.pem \ --x509keyfile=/export/security/gnutls/server-key.pem Set static Diffie-Hellman parameters, consider --dhparams. Processed 1 CA certificate(s). HTTP Server listening on IPv4 0.0.0.0 port 9000...done HTTP Server listening on IPv6 :: port 9000...done ----------------------------------------------------------------------- $ gnutls-cli --priority=NORMAL -p 9000 \ --x509cafile=/export/security/gnutls/ca-cert.pem 127.0.0.1 -----------------------------------------------------------------------