In order to generate the request and submit you will need to know
Once you are in possession of these items then you will need to
What follows is detailed instructions for all steps in this process!
To make life easier there is an openssl.cnf file available that contains all the defaults required to generate a ASF certificate request. To use this file
openssl req -config openssl.cnf -new -newkey rsa -keyout <keyfile> -out <csr>
NB: If you don't want to use the modified configuration file, then instructions for using the default configuration can be found here.
NB: Please include the '@apache.org' on your email address.
Once complete, go to Step 2
Completing the request should be straightforward. You will be asked for a passphrase.
In this example the request will be generated in the asf.csr file, which is what should be emailed to your PMC.
test> openssl req -config openssl.cnf -new -newkey rsa -keyout bloggs.key -out bloggs.csr Generating a 2048 bit RSA private key .............................................................+++ ...+++ writing new private key to 'bloggs.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Your name as shown in clas.txt []:Jo Bloggs Your email address @apache.org []:bloggs@apache.org
Once the request has been generated (in the openssl example it will be contained the file <csr>) then the request should be forwarded to xxx for them to verify your details and forward it ito the CA so your certificate may be issued.
Each PMC now has to assign you to the relevant groups for your commit privileges. This may result in you being sent multiple certificates, but only the latest one is valid. If you don't have access for a given resource then you should ask the PMC responsible to grant you access.
Once the certificate has been created it will be emailed to you as an attachment with a .pem extension. Once you have received it you will first need to verify that it is correct. This should be done BEFORE it is imported!
openssl x509 -noout -text -in <pemfile>
Once you have checked that all details on the certificate are correct (a sample output is available here) it may be imported and used.
Once you are happy that all is well with the certificate you have receieved, you need to convert it into the correct format for Subversion (and web browsers) so that it may be used. This is required as the certificate you receive will be in PEM format, but most applications require certificates to be presented in PKCS#12 format. Presently this must be done once you receive the generated certificate as it requires access to your private key that you used to generate the request - something that the ASF CA has no access to, nor does it wish to encourage unsafe practises by suggesting that it be transmitted!
This is done by the following command.
test> openssl pkcs12 -export -in <pemfile> -inkey <keyfile> -name "ASF Certificate" -out <p12file>
Where,
You will be promted for the pass phrase that you entered when creating the key and then asked for an Export Password.
test> openssl pkcs12 -export -in bloggs@apache.org-cert.pem -inkey keyfile -name "ASF Certificate" -out asf.p12 Enter pass phrase for keyfile: Enter Export Password: verifying - Enter Export Password:
Once you've done all the above you're ready to start using your certificate!
For more information, please see Using your certificate.
openssl genrsa -aes256 -out <keyfile> <length> openssl req -new -key <keyfile> -out <csr>
Where,
Once complete, jump to the second step.
Completeing the request will require some additional information and a passphrase.
| Information Requested | Entry required |
|---|---|
| Enter pass phrase for keyfile | A suitably secure passphrase. This should be
|
| Country Name | Normally defaults to 'AU' which is for Australia. Please use 'US' |
| State or Province Name | This will be ignored and the default can be accepted |
| Locality Name | This will be ignored and the default can be accepted |
| Organization Name | The Apache Software Foundation |
| Organizational Unit Name | Leave blank |
| Common Name | Your name as it's known to the ASF. Please don't use nicknames. |
| Email address | Your email address at apache dot org (include the at apache dot org) |
| A challenge password | Leave this blank. |
| An optional company name | Leave this blank. |
test> openssl genrsa -aes256 -out keyfile 2048 Generating RSA private key, 2048 bit long modulus .......................+++ .................+++ e is 65537 (0x10001) Enter pass phrase for keyfile: Verifying - Enter pass phrase for keyfile: test> openssl req -new -key keyfile -out asf.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]:The Apache Software Foundation Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:Jo Bloggs Email Address []:bloggs@apache.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
test> openssl x509 -noout -text -in bloggs@apache.org-cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=GB, O=Apache Software Foundation, OU=CA, CN=ASF Test CA 5/9/20
04/emailAddress=ben@apache.org
Validity
Not Before: Oct 6 16:52:39 2004 GMT
Not After : Oct 6 16:52:39 2005 GMT
Subject: C=US, O=The Apache Software Foundation, OU=httpd, CN=Jo Bloggs/
emailAddress=bloggs@apache.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c1:f4:df:28:9f:d5:2c:2e:5d:72:23:d3:d8:14:
3c:c1:50:dd:3d:e7:cb:d3:43:ee:31:c2:ad:0c:58:
1c:76:0d:85:05:dd:c5:3e:09:b4:31:11:39:f7:d7:
a4:a1:2f:ac:a6:f0:99:04:d9:09:f7:61:b4:d2:5e:
f3:eb:55:0f:2d:ed:87:b5:e0:be:25:80:6b:2a:b8:
63:b9:d4:2e:da:4b:f2:19:05:bb:45:de:03:f0:da:
b0:c6:8e:23:9e:4c:83:a8:ca:09:49:7f:7f:e3:f5:
aa:49:53:0b:d7:ac:09:ad:1c:41:a7:6f:eb:98:64:
55:f3:5d:cd:d7:31:8e:00:c9:81:53:e1:d6:de:05:
a0:3c:89:07:33:3c:a4:a0:ec:c6:d5:74:b2:14:1e:
cb:92:aa:ec:33:71:ab:8f:de:5b:d9:9b:8f:e6:ed:
64:81:17:d1:4f:a6:e7:7f:26:6d:ae:c1:6e:5a:ed:
f2:95:e9:f3:69:02:28:f5:4c:88:9b:68:b0:3b:53:
58:7e:49:38:3f:26:ac:98:fe:d8:7a:76:bd:4a:b3:
4a:e6:85:8a:02:86:ca:10:fe:e1:3a:48:01:2b:34:
43:c7:81:cc:8f:d1:62:ff:4c:7e:b0:39:fe:6b:6f:
54:8c:4c:42:20:44:ac:24:73:06:b1:a5:4f:83:0c:
b6:11
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME, Object Signing
Netscape Comment:
TinyCA Generated Certificate
X509v3 Subject Key Identifier:
65:91:54:6A:D2:A4:94:13:73:B2:A6:E9:47:62:A5:4E:6A:E9:81:3F
X509v3 Authority Key Identifier:
keyid:62:5D:C7:21:6C:4D:EC:45:0C:5B:96:E5:27:B0:99:28:2B:A6:57:B
A
DirName:/C=GB/O=Apache Software Foundation/OU=CA/CN=ASF Test CA
5/9/2004/emailAddress=ben@apache.org
serial:00
X509v3 Issuer Alternative Name:
email:ben@apache.org
X509v3 Subject Alternative Name:
email:bloggs@apache.org
X509v3 Key Usage:
Digital Signature, Key Encipherment
Signature Algorithm: sha1WithRSAEncryption
a3:77:61:aa:54:b5:4e:93:f6:cb:e0:71:2d:fd:1a:cb:7f:cc:
5d:d2:a6:97:30:e5:cc:76:46:ae:ab:e1:c9:bb:e2:22:7a:80:
0e:39:85:7a:fc:b3:90:39:18:cd:3a:12:b7:46:a8:70:85:d1:
ac:f6:ee:c6:3a:2a:35:71:43:01:f5:3c:53:6c:be:51:73:92:
36:54:1d:42:1e:6e:ef:42:b8:0a:55:02:08:7e:d1:0c:2e:d5:
8a:72:00:04:c1:20:87:4e:7d:7b:61:c4:7d:45:35:56:56:0e:
ea:95:16:4b:33:e4:47:7c:ca:18:ff:d6:23:f9:d3:f9:12:74:
b8:15