Certificate Authority Directory Structure

CA Directory
File
Description
CERT_ROOT_DIRECTORY/CA
Directory for the CA files.
CERT_ROOT_DIRECTORY/CA/ca.crt
The CA root public key in PEM format. This is used to create truststore files or can be imported in web browsers to establish trust for certificates signed by this CA.
CERT_ROOT_DIRECTORY/CA/index.txt
A book keeping file used by OpenSSL.
CERT_ROOT_DIRECTORY/CA/index.txt.attr
A book keeping file used by OpenSSL.
CERT_ROOT_DIRECTORY/CA/serial
A book keeping file used by OpenSSL.
CERT_ROOT_DIRECTORY/CA/private/ca.key
The CA root private key in PEM format. This is used to sign certificates.
For example:
./create-ca.sh password
1 file(s) copied.
1 file(s) copied.
Generating a RSA private key
...+++++
.....................................................................+++++
writing new private key to '.fta-ca\CA\private\ca.key'
-----
Successfully processed 1 files; Failed processing 0 files
Successfully processed 1 files; Failed processing 0 files
Successfully processed 0 files; Failed processing 0 files
.fta-ca\CA\private\ca.key NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
Successfully processed 1 files; Failed processing 0 files
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0d:63:97:b9:e0:8f:bb:b7:61:7c:ca:b8:7b:b9:48:9e:ac:2d:c2:fe
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = CA, L = San Jose, O = Acme Widgets, CN = FactoryTalk Analytics Priva
Validity
Not Before: Dec 18 12:38:38 2018 GMT
Not After : Dec 15 12:38:38 2028 GMT
Subject: C = US, ST = CA, L = San Jose, O = Acme Widgets, CN = FactoryTalk Analytics Priv
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:9d:1a:09:66:61:fb:e4:82:67:db:86:25:4e:9e:
dd:49:61:63:f1:e2:0d:37:b4:30:f0:9c:f4:6d:c2:
dc:87:f9:17:e8:58:ad:ab:3e:80:18:e8:7e:4f:ba:
6f:c4:94:98:9b:bd:27:e7:19:7c:aa:ef:97:9b:73:
a2:0e:d4:6b:b6:97:20:9b:58:8a:79:0a:36:3c:c1:
4d:2e:6c:1a:9d:93:aa:8c:c0:58:bb:c8:4d:56:fa:
a4:43:06:e0:bb:57:d4:97:ec:bc:3d:d9:4c:fa:15:
73:da:49:2e:42:2c:77:66:1f:20:d3:d3:10:1d:82:
d5:e9:a9:ed:88:01:a1:0b:96:64:b1:58:21:ba:33:
03:0b:fa:2b:d4:51:e9:3f:c7:71:e7:2e:b9:0c:43:
3e:8c:75:42:7a:2f:8b:01:45:6b:04:71:64:04:9c:
04:d8:a2:8c:e8:f1:a8:ca:06:d5:14:f4:b4:96:ad:
f8:d6:9e:59:21:6c:4e:af:96:f7:76:e5:2d:28:ea:
3c:2b:b3:f1:84:aa:9b:21:30:46:37:7b:49:28:33:
93:ab:c1:0a:c4:11:de:79:1c:fc:31:b6:1d:f1:9f:
73:9c:57:53:fc:39:30:5b:23:1a:4b:c8:8f:95:66:
d8:e8:9e:6d:eb:16:e9:f7:32:ad:67:e5:7c:9e:b7:
ac:1f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
5B:BE:C9:9C:A2:CB:E7:DB:A6:56:3D:6D:DA:21:E2:26:2C:D4:AE:93
X509v3 Authority Key Identifier:
keyid:5B:BE:C9:9C:A2:CB:E7:DB:A6:56:3D:6D:DA:21:E2:26:2C:D4:AE:93
DirName:/C=US/ST=CA/L=San Jose/O=Acme Widgets/CN=FactoryTalk Analytics Private CA
seri al:0D:63:97:B9:E0:8F:BB:B7:61:7C:CA:B8:7B:B9:48:9E:AC:2D:C2:FE
X509v3 Key Usage:
Certificate Sign, CRL Sign
X509v3 Issuer Alternative Name:
<EMPTY>
X509v3 Subject Alternative Name: critical
DNS:acme-widgets.com
Signature Algorithm: sha256WithRSAEncryption
07:dc:e5:b7:00:db:4e:b8:5d:e2:de:d4:2f:0c:9e:dc:06:4e:
6f:54:a8:8e:df:fc:b7:c4:41:c7:0b:e8:d8:36:39:72:27:21:
3f:7f:36:96:59:19:cf:5a:63:18:bd:2f:8f:0b:c9:d6:1a:5a:
23:25:f9:69:62:28:df:19:4a:bc:b7:ae:61:83:49:c0:33:29:
0f:cf:37:f4:61:fe:6e:25:cc:af:b2:0c:dc:de:f4:c9:cb:a7:
6d:8e:05:38:bc:04:83:36:72:ae:d8:79:b3:71:2a:3b:4d:c7:
9f:fa:54:05:9c:5f:cc:92:91:86:80:e2:47:e0:1f:2c:91:37:
84:36:fb:55:d6:6b:3c:38:f1:b1:17:cb:01:90:c2:27:e8:ce:
4a:1f:05:01:92:e7:1f:b5:2e:9c:6f:4d:f4:1d:98:cd:76:b0:
7b:66:9c:ae:b6:22:3c:f8:98:07:56:c3:b2:be:67:51:fe:19:
3c:d9:e1:15:b6:ea:0c:19:78:29:7a:3e:3a:49:62:86:a2:24:
78:54:4c:24:1a:23:ee:d0:fa:64:65:90:fa:69:94:eb:e5:44:
aa:d9:08:3d:ee:23:e4:fc:c6:37:e1:98:93:e6:9b:65:04:d9:
4b:21:a5:ff:c4:db:03:b4:f5:9d:eb:15:04:35:58:3c:2d:5e:
4c:04:c9:0b
-----BEGIN CERTIFICATE-----
MIIEiTCCA3GgAwIBAgIUDWOXueCPu7dhfMq4e7lInqwtwv4wDQYJKoZIhvcNAQEL
BQAwbzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMREwDwYDVQQHDAhTYW4gSm9z
ZTEVMBMGA1UECgwMQWNtZSBXaWRnZXRzMSkwJwYDVQQDDCBGYWN0b3J5VGFsayBB
bmFseXRpY3MgUHJpdmF0ZSBDQTAeFw0xODEyMTgxMjM4MzhaFw0yODEyMTUxMjM4
MzhaMG8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTERMA8GA1UEBwwIU2FuIEpv
c2UxFTATBgNVBAoMDEFjbWUgV2lkZ2V0czEpMCcGA1UEAwwgRmFjdG9yeVRhbGsg
QW5hbHl0aWNzIFByaXZhdGUgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCdGglmYfvkgmfbhiVOnt1JYWPx4g03tDDwnPRtwtyH+RfoWK2rPoAY6H5P
um/ElJibvSfnGXyq75ebc6IO1Gu2lyCbWIp5CjY8wU0ubBqdk6qMwFi7yE1W+qRD
BuC7V9SX7Lw92Uz6FXPaSS5CLHdmHyDT0xAdgtXpqe2IAaELlmSxWCG6MwML+ivU
Uek/x3HnLrkMQz6MdUJ6L4sBRWsEcWQEnATYoozo8ajKBtUU9LSWrfjWnlkhbE6v
lvd25S0o6jwrs/GEqpshMEY3e0koM5OrwQrEEd55HPwxth3xn3OcV1P8OTBbIxpL
yI+VZtjonm3rFun3Mq1n5Xyet6wfAgMBAAGjggEbMIIBFzAPBgNVHRMBAf8EBTAD
AQH/MB0GA1UdDgQWBBRbvsmcosvn26ZWPW3aIeImLNSukzCBrAYDVR0jBIGkMIGh
gBRbvsmcosvn26ZWPW3aIeImLNSuk6FzpHEwbzELMAkGA1UEBhMCVVMxCzAJBgNV
BAgMAkNBMREwDwYDVQQHDAhTYW4gSm9zZTEVMBMGA1UECgwMQWNtZSBXaWRnZXRz
MSkwJwYDVQQDDCBGYWN0b3J5VGFsayBBbmFseXRpY3MgUHJpdmF0ZSBDQYIUDWOX
ueCPu7dhfMq4e7lInqwtwv4wCwYDVR0PBAQDAgEGMAkGA1UdEgQCMAAwHgYDVR0R
AQH/BBQwEoIQYWNtZS13aWRnZXRzLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAB9zl
twDbTrhd4t7ULwye3AZOb1Sojt/8t8RBxwvo2DY5cichP382llkZz1pjGL0vjwvJ
1hpaIyX5aWIo3xlKvLeuYYNJwDMpD8839GH+biXMr7IM3N70ycunbY4FOLwEgzZy
rth5s3EqO03Hn/pUBZxfzJKRhoDiR+AfLJE3hDb7VdZrPDjxsRfLAZDCJ+jOSh8F
AZLnH7UunG9N9B2YzXawe2acrrYiPPiYB1bDsr5nUf4ZPNnhFbbqDBl4KXo+Okli
hqIkeFRMJBoj7tD6ZGWQ+mmU6+VEqtkIPe4j5PzGN+GYk+abZQTZSyGl/8TbA7T1
nesVBDVYPC1eTATJCw==
-----END CERTIFICATE-----
subject=C = US, ST = CA, L = San Jose, O = Acme Widgets, CN = FactoryTalk Analytics Private CA
issuer=C = US, ST = CA, L = San Jose, O = Acme Widgets, CN = FactoryTalk Analytics Private CA
Sign Certificate
File
Description
CERT_ROOT_DIRECTORY/certs/fta_truststore.jks
A Java truststore file containing the public root certificate for the CA. This is created once.
CERT_ROOT_DIRECTORY/certs/host-fqdn.crt
The public key for the host in PEM format.
CERT_ROOT_DIRECTORY/certs/ host-fqdn.csr
The certificate signing request (CSR) for host’s certificate.
CERT_ROOT_DIRECTORY/certs/ host-fqdn.jks
The Java keystore contain the host’s private key.
CERT_ROOT_DIRECTORY/certs/ host-fqdn.key
The host’s private key.
CERT_ROOT_DIRECTORY/certs/ host-fqdn.p12
The host’s private key in PKCS 12 format. This file is used to create the Java keystore.
CERT_ROOT_DIRECTORY/certs/ host-fqdn.pem
This is the certificate chain for the host certificate in PEM format. It is the concatenation of the root public key for the CA and the public key for the host certificate.
For example:
./create-certificate.sh host1.acme-widgets.com password kpassword tpassword
Generating RSA private key, 2048 bit long modulus (2 primes)
.....................................................+++++
..........................................................+++++
e is 65537 (0x010001)
Using configuration from ./openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :ASN.1 12:'CA'
localityName :ASN.1 12:'San Jose'
organizationName :ASN.1 12:'Acme Widgets'
commonName :ASN.1 12:'acme-widgets.com'
Certificate is to be certified until Dec 17 13:08:37 2020 GMT (730 days)
Write out database with 1 new entries
Data Base Updated
.fta-ca\certs\host1.acme-widgets.com.crt
.fta-ca\CA\ca.crt
.fta-ca\CA\ca.crt
1 file(s) copied.
Certificate was added to keystore
[Storing .fta-ca\certs\fta_truststore.jks]
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.