Signing the Certificate Signing Request
After you create the CSR (sae.csr), you need to have the request signed by a certificate authority. After this step, you will have two files:
- sae.crt—Public certificate for the SAE server.
- ca.pem—Public certificate of the certificate authority that performs the signing.
There are two ways to have the sae.csr signed:
- Send the sae.csr to Verisign, Inc. for signing (
http://www.verisign.com). VeriSign authenticates you and returns a public certificate (sae.crt), signed by them, that authenticates your public key. VeriSign also sends their public certificate in a file named ca.pem.- Create a certificate authority, and use it to sign the server certificate.
To create a certificate authority and sign the server certificate for the SAE:
- Create a private key for the certificate authority.
openssl genrsa -out ca.key <number-of-bits>- Create a self-signed certificate.
openssl req -new -x509 -days 365 -key ca.key -out ca.pem -subj <DN>Replace <DN> with the distinguished name that identifies your HTTPS server. Do not use the "#" character in DNs.
For example, if XYM Corp in Canada has an HTTPS server with a hostname of ssp1.domain.org, then the DN might be:
/CN=ssp1.domain.org/O=XYM/C=CA