About this task

How to create a SSL certificate

Applies to

All Versions and Systems

Procedure

On Linux with openssl tools installed

Step1: Prepare needed information

Information	Example

Information	Example
BVQ Server Hostname	bvq-server
BVQ Server DNS name(s)	bvq-server.sva.de
Password for key encryption	keypassword
DNS address of your Certification Authority Server	ca-server.example.com
Name of your Certification Authority	Name-of-CA

Step1: Create a SSH Key .ini file for your BVQ Server

Create the .ini file in Folder /etc/pki/tls/certs/ e.g. by using vi
vi /etc/pki/tls/certs/bvq-server.ini
Insert the following text

Example openssl config (.ini) file

[ req ]
default_bits        = 4096
default_md          = sha256
prompt              = no
encrypt_key         = no
distinguished_name  = req_distinguished_name
req_extensions      = v3_req
x509_extensions     = v3_ca

[ req_distinguished_name ]
C  = DE
ST = Hessen
L  = Wiesbaden
O  = SVA GmbH
OU = IT-Administration / Monitoring
CN = 10.10.10.10
emailAddress = bvq@sva.de

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[ v3_ca ]
basicConstraints = critical,CA:TRUE
keyUsage = digitalSignature, cRLSign, keyCertSign
subjectAltName = @alt_names

[ alt_names ]
IP.1  = 10.10.10.10

Important

In addition to the changes you need to make to adapt the .ini to your needs.
It may be necessary to enter DNS names
[ alt_names ]
IP.1 = 10.10.10.10
DNS.1 = example.com
DNS.2 = www.example.com
DNS.3 = subdomain.example.com

Step 2: Generate the openssl key and certificate request

Use command openssl to generate the key and ceritificate request file
after that insert a password into the blank to crypt your key (<PASWD> / "Privat Key Password")

openssl command for key generation
[root@bvqdemo certs]# openssl req -newkey rsa:4096 -sha256 -days 365 -nodes -out /etc/pki/tls/certs/bvq-server.csr -keyout /etc/pki/tls/private/bvq-server.key -config /etc/pki/tls/certs/bvq-server.ini -passin stdin Ignoring -days; not generating a certificate <PASWD> Generating a RSA private key ..........++++ ...........................................................................................................................................................................................................................................................................................................................++++ writing new private key to '/etc/pki/tls/private/bvq-server.key'
Now two new files should appear

Resulting files of a successful openssl certificate generation

Step 3: Copy the files to your BVQ° Server

File	Example

File	Example
Private Key file	bvq-server.key
Certificate request file	bvq-server.csr

Example copy session with MS PowerShell

Step 4: Generate the Certificate Request on your Windows BVQ° Server

Use the Windows command certreq to request a certificate from your Certification Authority Server. The following step depends on the PKI/CA used.

certreq command for .pem file generation

The bvq-server.crt certificate file should appear in the current directory.

Step 5: Run the BVQ Server Installer

Now you should have these elements prepared:

Element	Example

Element	Example
Private key file	bvq-server.key
CRT Certificate file	bvq-server.crt
Password for key encryption	keypassword

Insert all this in the related fields of the BVQ Server installer dialogue (see step 8 in the Installation guide).

^{Command explanation and additional information}

Self Sign your own .csr

OpenSSL Command Components

Command Part	Meaning

Command Part	Meaning
`openssl`	Command to invoke the OpenSSL toolkit, used for a wide range of cryptography tasks.
`req`	Stands for "PKCS#10 certificate request and certificate generating utility," used to create CSRs or self-signed certificates.
`-newkey rsa:4096`	Creates a new RSA key of 4096 bits in length.
`-x509`	Generates a self-signed certificate instead of a certificate signing request.
`-sha256`	Uses SHA-256 as the hashing algorithm for the certificate.
`-days 365`	Sets the validity period of the certificate to 365 days.
`-nodes`	Creates a private key without password protection.
`-out`	Specifies the filename and path where the certificate or CSR will be saved.
`-keyout`	Specifies the filename and path for the private key.
`-config`	Specifies the path to the configuration file containing additional options.
`-passin`	Specifies how the password for accessing the private key or other encrypted data is entered.

.ini Configuration Details

Configuration Entry	Meaning

Configuration Entry	Meaning
`[ req ]`	A section in the configuration file containing general settings for the certificate request.
`default_bits`	The length of the key to generate in bits.
`default_md`	The default hashing algorithm for the signature.
`prompt`	Controls whether OpenSSL should ask interactively for the DN (Distinguished Name) fields.
`encrypt_key`	Specifies whether the private key should be encrypted.
`[ req_distinguished_name ]`	A section defining the DN fields for the certificate request.
`C, ST, L, O, OU, CN, emailAddress`	Fields of the Distinguished Name specifying the country, state/province, locality, organization, organizational unit, common name, and email address.
`[ v3_req ]`, `[ v3_ca ]`	Sections defining specific extensions for certificates.
`basicConstraints`	Defines whether a certificate can act as a CA (Certificate Authority). `CA:TRUE` allows it, `CA:FALSE` disallows it. `critical,CA:TRUE` indicates the certificate can act as a CA and the constraint is critical.
`keyUsage`	Specifies the purposes the key can be used for, such as digital signatures, key encipherment, etc.
`extendedKeyUsage`	Specifies extended purposes like server authentication (`serverAuth`).
`subjectAltName`	Allows specifying alternative names for the subject, including DNS names and IP addresses.
`[ alt_names ]`	A section listing alternative names under which the server is accessible.

Certificate Signing Request (CSR) Submission in Windows

Command	Meaning

Command	Meaning
`certreq -submit`	Command-line tool in Windows used for certificate requests, with the switch to submit the CSR.
`-config "ca-server.example.com\Name-of-CA"`	Specifies the path to the CA where the CSR is submitted. The path consists of the CA server name and the CA name itself, separated by a backslash.
`-attrib CertificateTemplate:EXAMPLE-SSLCERTIFICATE`	Specifies additional attributes for the request. Here, a specific certificate template attribute is used to indicate which template the CA should use to create the certificate.
`".\bvq-server.csr" ".\bvq-server.crt"`	The first path is the location of your CSR file, and the second path is where the signed certificate will be saved.