Signing the Deep Discovery Email Inspector Certificate

Signing the certificate is optional. The certificate must be signed if you do not want to distribute all the certificates on systems and only distribute the CA certificate. To confirm that the Deep Discovery Email Inspector certificate is trusted by the CA, you need to sign the Deep Discovery Email Inspector certificate request by the CA private key (/tmp/root_key.pem) but before doing this you need to set up the OpenSSL environment for CA:

  1. Update the OpenSSL configuration file /etc/pki/tls/openssl.cnf.

    Find the definition of the [ CA_default ]/ dir parameter and change it to /etc/pki/CA:

    [ CA_default ]

    dir = /etc/pki/CA # Where everything is kept

  2. Create the empty index.txt file in the /etc/pki/CA directory:

    # touch /etc/pki/CA/index.txt

  3. Create the serial file with initial content in the /etc/pki/CA directory:

    # echo "01" > /etc/pki/CA/serial

  4. Sign the certificate:

    #openssl ca -days 365 -cert /tmp/root_req.pem -keyfile /tmp/root_key.pem -in /tmp/ddei_req.pem -out /tmp/ddei_cert.pem -outdir /tmp

    Using configuration from /etc/pki/tls/openssl.cnf

    Enter pass phrase for /tmp/root_key.pem:Trend

    Check that the request matches the signature

    Signature ok

    Certificate Details:

    Serial Number: 1 (0x1)

    Validity

    Not Before: Oct 22 09:35:52 2010 GMT

    Not After : Oct 22 09:35:52 2011 GMT

    Subject:

    countryName = DE

    stateOrProvinceName = Bavaria

    organizationName = Trend Micro

    organizationalUnitName = Global Training

    commonName = ddei.course.test

    X509v3 extensions:

    X509v3 Basic Constraints:

    CA:FALSE

    Netscape Comment:

    X509v3 Subject Key Identifier:

    82:15:B8:84:9C:40:8C:AB:33:EE:A4:BA:9C:2E:F6:7E:C0:DC:E8:1C X509v3

    Authority Key Identifier:

    keyid:5B:B4:06:4D:8D:12:D0:B3:36:A7:6B:3A:FD:F2:C8:83:4A:DD:AA: BD

    Certificate is to be certified until Oct 22 09:35:52 2011 GMT (365 days)

    Sign the certificate? [y/n]:y

    1 out of 1 certificate requests certified, commit? [y/n]y

    Write out database with 1 new entries

    Data Base Updated

    #

    The file contains the Deep Discovery Email Inspector certificate signed by the CA. You need to distribute this file to all servers and clients communicating with Deep Discovery Email Inspector.

Parent topic: Creating and Deploying Certificates