Generating Certificates with OpenSSL
To generate a self-signed certificate that conforms to the NIEF Certificate Policy use the following command:
$ openssl req -x509 -sha256 -nodes -days 1826 -newkey rsa:2048 -keyout NEW_SERVER_KEY.key -out NEW_SERVER_CERT.crt
The above insures that the RSA key is 2048 bits and that the certificate is signed with SHA-256, the defaults for these two settings is insufficient to meet the requirements of the NIEF Certificate Policy. Additionally you will be prompted for a set of information that should be properly filled out for your organization. An example follows:
writing new private key to 'NEW_SERVER_KEY.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:GA Locality Name (eg, city) [Newbury]:Atlanta Organization Name (eg, company) [My Company Ltd]:CISAnet Organizational Unit Name (eg, section) []:Identity Provider Common Name (eg, your name or your server's hostname) []:idp.cisanet.net Email Address []:support@cisanet.net
Finally, while GFIPM and NIEF have not formally adopted a requirement that all signing certificates and encryption certificates be different, this is a requirement of the Federal PKI and as such is highly recommended (and may become a GFIPM and/or NIEF requirement in the future). As such it is requested that all IDPs and SPs submit two separate certificates with their federation metadata.