Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SBR] How to create a 2048 Bit CSR/DER/PFX/ Certificate Chain from OpenSSL

0

0

Article ID: KB28672 KB Last Updated: 05 Mar 2017Version: 2.0
Summary:

This article describes how to do the following:

  1. Create a 2048 Bit CA Server

  2. Create a 2048 Bit CSR

  3. Create a DER 2048 Certificate for SBR Server

  4. Convert the Server CA and SBR Cert to PFX

  5. Create a Client CSR

  6. Create a CRT from CSR

  7. Create a PFX from Client CRT and Server CA
Symptoms:
 
Cause:
 
Solution:

Process for Windows

====================================================================================

For Windows download the package from http://slproweb.com/products/Win32OpenSSL.html.

Next install and add the C:\(Installed Directory) directory in the %PATH%.

C:\>cd (Installed Directory)
C:\(Installed Directory)>md certs
C:\(Installed Directory)>cd certs
C:\(Installed Directory)\certs>md democa
C:\(Installed Directory)\certs>md democa\newcerts
C:\(Installed Directory)\certs>edit democa\index.txt
C:\(Installed Directory)\certs>edit democa\serial

 Follow the instructions to place 01 in the serial file, save and exit.

===================================================================================================

1. Create a 2048 Bit CA Server

Raise the Following as CA Server:

C:\OPENSS~1\certs>openssl genrsa -out ca.key 2048
Loading 'screen' into random state - done
Generating RSA private key, 2048 bit long modulus
..................................................................+++
...............................................+++
e is 65537 (0x10001)
Next Use the above Key to create a Server CA:

C:\OPENSS~1\certs>openssl req -new -x509 -days 1000 -key ca.key -out DemoCA/CACert.pem
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:TN
Locality Name (eg, city) []:Chennai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Juniper Networks
Organizational Unit Name (eg, section) []:UAC SBR TEAM
Common Name (e.g. server FQDN or YOUR name) []:UAC SBR Team LAB
Email Address []:admin@juniper.net

Copy the CACert.pem to CACert.der for SBR.

2. Create a 2048 Bit CSR

Create the SBR CSR as follows:

C:\OPENSS~1\certs>openssl req -new -newkey rsa:2048 -nodes -out Client_SBR_server.csr -keyout Client_SBR_Server.key –subj "/C=IN/ST=TN/L=Chennai/O=ClientCompany/OU=ClientUnit/CN=ClientSBRServer"
Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
...............................................................................+++
..............+++
writing new private key to 'Client_SBR_Server.key'


3. Create a DER 2048 Certificate for SBR Server

Create a DER Certificate for the SBR Server as follows:

C:\OPENSS~1\certs>openssl ca -in Client_SBR_server.csr -out Client_SBR_server.der -keyfile ca.key
Using configuration from C:\OpenSSL-Win32\bin\openssl.cfg
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 24 19:49:42 2013 GMT
Not After : Dec 24 19:49:42 2014 GMT
Subject:
countryName = IN
stateOrProvinceName = TN
organizationName = ClientCompany
organizationalUnitName = ClientUnit
commonName = ClientSBRServer
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B2:E9:90:2F:29:19:5B:2B:81:5D:5D:C0:06:4D:89:52:56:A1:8D:DA
X509v3 Authority Key Identifier:
keyid:05:1C:C3:21:03:96:24:B7:4A:CC:48:08:2D:58:DF:8D:F9:D9:15:B8

Certificate is to be certified until Dec 24 19:49:42 2014 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

4. Convert the Server CA and SBR Cert to PFX

Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12) for SBR Server.

C:\OPENSS~1\certs>openssl pkcs12 -export -out SBRCertPFX.pfx -inkey Client_SBR_Server.key -in Client_SBR_server.der -certfile democa\CACert.pem
Loading 'screen' into random state - done
Enter Export Password:1234567 (You will not be able to find these numbers while typing)
Verifying - Enter Export Password:1234567 (Please also note it will not work if it is more than seven character in length as tested in LAB)

Import the SBRCertPFX.pfx to SBR Server.

===================================================================================

How to Create a 2048 Certificate for ClientPC Signed by Open SSL CA.

5. Create a Client CSR

Create a CSR for Client:

C:\OpenSSL-Win32\Certs>openssl req -new -newkey rsa:2048 -nodes -out ClientPC.csr -keyout ClientPC.key -subj "/C=IN/ST=TN/L=Chennai/O=ClientCompany/OU=ClientUnit/CN=ClientPC"

Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
.............+++
...........+++
writing new private key to 'ClientPC.key'
-----

6. Create a CRT from CSR

Create a CRT from CSR:

C:\OpenSSL-Win32\Certs>openssl ca -in ClientPC.csr -out ClientPC.crt -keyfile ca.key
Using configuration from C:\OpenSSL-Win32\bin\openssl.cfg
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Dec 24 21:12:38 2013 GMT
Not After : Dec 24 21:12:38 2014 GMT
Subject:
countryName = IN
stateOrProvinceName = TN
organizationName = ClientCompany
organizationalUnitName = ClientUnit
commonName = ClientPC
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D8:14:2C:20:6E:A7:14:47:0A:1B:C5:08:83:33:AF:F7:3F:2E:D2:CA
X509v3 Authority Key Identifier:
keyid:98:5B:9F:5E:DE:20:41:9E:D1:EE:B4:5A:E6:F2:E8:E5:15:B2:83:28

Certificate is to be certified until Dec 24 21:12:38 2014 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

7. Create a PFX from Client CRT and Server CA

Create a PFX from CRT and Private Key along with Cert CA:

C:\OpenSSL-Win32\Certs>openssl pkcs12 -export -out ClientCertPFX.pfx -inkey ClientPC.key -in ClientPC.crt -certfile democa\CACert.pem
Loading 'screen' into random state - done
Enter Export Password:
Verifying - Enter Export Password:
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search