OpenSSL Create and Sign Certificate on MAC [El Capitan]

Since I started in IT and Networking, I have discovered that there are many things that result easier to do on a MAC, than any other OS. However we have to give credit where credit is due, Windows is doing a fantastic job with their new OS, but I still prefer MAC ;).

This post is dedicated to a paged referred from a  colleague at my job on Cisco VCS Expressway configuration:

http://pandaeatsbamboo.blogspot.com/2014/06/collaboration-edge-expressway-step-by.html

@gnowynnad Does a really good job at explaining the whole process of configuring VCS Expressway for MRA, and he also creates does a good job at explaining how to use OpenSSL to create your certificates:

This is what worked for me and wanted to share it:

CREATE DIRECTORIES
mkdir demoCA
cd demoCA
mkdir certs
mkdir newcerts
mkdir private
touch index.txt
echo 10 > serial
 
Copy /System/Library/OpenSSL/openssl.cnf to the demoCA directory, rename it to openssl_local.cnf
 
Modify openssl_local.cnf, under
[CA_default] section
“copy_extensions = copy” does not have a # at the beginning of the line.
“policy = policy_match” to “policy = policy_anything”
“dir = ./demoCA” to “dir = .” 
“default_days = 365” to 3650
Generate Private Key:
openssl genrsa -aes256 -out private/cakey.pem 4096
 
Generate CA cert:
openssl req -new -x509 -days 3650 -key private/cakey.pem -config openssl_local.cnf -sha1 -extensions v3_ca -out cacert.pem
 
Create new Certificate from CSR **Save CSR to root demoCA folder** – 
openssl ca -config openssl_local.cnf -cert cacert.pem -keyfile private/cakey.pem -in vcsc.csr -out certs/vcsc.pem -md sha1
openssl ca -config openssl_local.cnf -cert cacert.pem -keyfile private/cakey.pem -in vcse.csr -out certs/vcse.pem -md sha1
—————————————–
***CHANGE THE FILE NAME OF THE CSR AND THE CERT NAME***
SIGN CSR:
openssl ca -config openssl_local.cnf -cert cacert.pem -keyfile private/cakey.pem -in vcsc.csr -out certs/vcsc.pem -md sha1
openssl ca -config openssl_local.cnf -cert cacert.pem -keyfile private/cakey.pem -in vcse.csr -out certs/vcse.pem -md sha1
—————————————–
Creating these certificates and signing them your self for testing helps you get quicker when implementing these type of projects. Some times clients delay the purchase of a Public certificate and your deployment will also delay.
Certificates can be a daunting task if you have not good understanding of how they work. If you are interested in learning more about it, get started with this link:
https://en.wikipedia.org/wiki/Public_key_infrastructure
Incase you are looking for how to get OpenSSL working on yor Windows machine, here are good links to use:
https://www.tbs-certificates.co.uk/FAQ/en/openssl-windows.html
https://www.youtube.com/watch?v=H8GxM9ApkYc

About the Author:

Andres Sarmiento, CCIE # 53520 (Collaboration)
With more than 13 years of experience, Andres is specialized in the Unified Communications and Collaboration technologies. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations including Cisco technologies; such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.

You can follow Andres using Twitter, LinkedIn or Facebook

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top