Generating Certificates with OpenSSL

To generate a self-signed certificate that conforms to the NIEF Certificate Policy use the following command:

 $ openssl req -x509 -sha256 -nodes -days 1826 -newkey rsa:2048 -keyout NEW_SERVER_KEY.key -out NEW_SERVER_CERT.crt

The above insures that the RSA key is 2048 bits and that the certificate is signed with SHA-256, the defaults for these two settings is insufficient to meet the requirements of the NIEF Certificate Policy. Additionally you will be prompted for a set of information that should be properly filled out for your organization. An example follows:

 writing new private key to 'NEW_SERVER_KEY.key'
 -----
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [GB]:US
 State or Province Name (full name) [Berkshire]:GA
 Locality Name (eg, city) [Newbury]:Atlanta
 Organization Name (eg, company) [My Company Ltd]:CISAnet
 Organizational Unit Name (eg, section) []:Identity Provider
 Common Name (eg, your name or your server's hostname) []:idp.cisanet.net
 Email Address []:support@cisanet.net

Finally, while GFIPM and NIEF have not formally adopted a requirement that all signing certificates and encryption certificates be different, this is a requirement of the Federal PKI and as such is highly recommended (and may become a GFIPM and/or NIEF requirement in the future). As such it is requested that all IDPs and SPs submit two separate certificates with their federation metadata.