Create Your Own Root CA (Certificate Authority)

Subject: Create Your Own Root CA (Certificate Authority)
Author: authen
In response to: Preparations
Posted on: 09/11/2015 11:48:32 PM

Step 1. Create your CA's private key

C:\OpenSSL64>openssl genrsa -des3 -out myCA\rootCA\ca-private-key.pem 2048

Loading 'screen' into random state - done
Generating RSA private key, 2048 bit long modulus
..........................................................+++
.....................................................+++
unable to write 'random state'
e is 65537 (0x10001)
Enter pass phrase for myCA\rootCA\ca-private-key.pem:<passphrase>
Verifying - Enter pass phrase for myCA\rootCA\ca-private-key.pem:<passphrase>

The private key is in 2048 bits and placed in file 'cakey.pem' which is encrypted in des3 with your input passphrase. Keep this file in a safe place like a floppy disk. Here is what the key looks like:

Step 2. Generate your CA's certificate (public key)

C:\OpenSSL64>openssl req -new -x509 -key myCA\rootCA\ca-private-key.pem 
 -out myCA\rootCA\cacert.pem -days 3650 
 -config myCA\rootCA\rootca.conf -extensions root_ca_ext

Enter pass phrase for myCA\rootCA\ca-private-key.pem:<passphrase>

Step 3. Sign your CA's certificate

Notice that a root CA's certificate is always a self-signed certificate. This step can be skipped.

Step 4. Trim your CA's certificate

C:\OpenSSL64>openssl x509 -in myCA\rootCA\cacert.pem -out myCA\rootCA\cacert.cer

Step 5. View your CA's certificate

C:\OpenSSL64>openssl x509 -in myCA\rootCA\cacert.pem -noout -text

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            85:c6:84:81:c3:dc:ca:e6
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: DC=org, DC=simple, O=Simple Inc, OU=Simple Root CA, CN=Simple Ro
ot CA
        Validity
            Not Before: Sep 10 01:59:57 2015 GMT
            Not After : Sep  7 01:59:57 2025 GMT
        Subject: DC=org, DC=simple, O=Simple Inc, OU=Simple Root CA, CN=Simple R
oot CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:bf:36:30:df:e6:cf:ac:06:b3:eb:f4:b7:15:f1:
                    f2:4f:cb:4e:3e:3c:1f:f6:09:4b:31:b4:c4:32:12:
                    a2:2e:98:38:36:4e:e9:06:99:38:2e:ff:14:a4:fb:
                    7e:d9:e8:ee:be:6b:a8:83:fd:57:6a:55:b0:66:5f:
                    28:a7:63:ec:7b:b3:fa:37:f6:3d:06:af:9a:86:24:
                    ca:0e:f8:d3:eb:a6:5f:d4:74:4c:fd:4f:c4:7e:4c:
                    a9:ee:8f:65:33:fc:86:73:02:9c:3f:f5:09:c1:54:
                    4f:4e:3f:cc:83:3b:81:45:04:18:20:23:ec:5e:67:
                    27:2d:9b:1a:f6:30:59:6b:c5:b4:74:99:35:72:65:
                    43:86:1b:e5:7f:41:f5:46:e1:51:61:c8:86:b4:af:
                    64:79:70:12:9c:0a:e2:9a:27:c7:f6:af:0c:76:1a:
                    93:91:43:50:12:4a:b8:a4:2e:cf:e7:99:1f:7b:db:
                    ee:ae:0d:92:7e:9b:14:3c:87:80:44:e1:39:b0:db:
                    8e:74:43:39:eb:0b:b2:f6:24:ef:e3:d5:8e:a5:a7:
                    c5:b1:aa:17:f3:c1:3b:5a:69:cf:5b:b6:45:dc:1b:
                    73:6f:21:b2:c2:55:22:5f:a7:c6:55:c1:30:87:f2:
                    c8:a4:1e:f2:a4:97:eb:b1:a0:d6:53:fd:ca:74:c7:
                    c6:d5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                23:51:32:A5:6D:1B:3E:90:7D:3A:8A:09:1E:08:3E:3E:F6:B6:1C:B8
            X509v3 Authority Key Identifier:
                keyid:23:51:32:A5:6D:1B:3E:90:7D:3A:8A:09:1E:08:3E:3E:F6:B6:1C:B
8

    Signature Algorithm: sha1WithRSAEncryption
        26:ba:a0:c6:93:74:d9:c3:1c:21:75:18:0e:5f:ca:74:9f:77:
        fe:77:08:ba:69:f5:4b:14:c2:07:94:9f:26:cc:e8:81:ef:b0:
        a1:6d:bd:89:51:4a:ca:54:58:38:18:d2:01:03:43:aa:a4:7b:
        89:ec:73:30:da:21:41:a5:70:cd:50:f7:a4:2d:bc:ad:94:eb:
        98:50:d2:a8:07:50:70:0a:77:d3:af:f1:8e:9e:9c:5d:06:d1:
        2a:54:67:cb:e9:d0:9b:ea:67:3a:e4:2c:d3:87:09:c4:0d:a6:
        5d:de:27:71:a6:cd:b0:5e:a4:48:62:73:0b:6d:11:38:93:d6:
        2b:17:6d:f4:6d:f5:0e:dd:c3:3d:05:20:63:6d:27:6c:db:c6:
        47:81:0d:9e:b6:ec:d4:a5:cc:97:a2:31:e0:3f:90:df:b8:40:
        98:95:54:94:33:c4:86:e1:c1:38:c0:a5:f3:d9:78:d2:39:15:
        24:55:7f:de:d9:19:f5:d8:3c:b0:45:90:91:1f:84:6f:4a:d8:
        4c:91:2c:89:81:1a:c1:2e:59:cd:27:77:95:b8:ef:69:51:2f:
        d9:68:04:78:c4:3f:b0:cf:0e:77:7a:54:3d:9e:ae:7d:9b:84:
        72:7d:02:98:f3:f8:4c:60:eb:57:ba:6c:90:b7:9c:d9:d2:12:
        30:bf:e1:cf

>
> On 09/11/2015 11:04:29 PM authen wrote:

Follow this examples:

http://pki-tutorial.readthedocs.org/en/latest/simple/

Download the following configuration files

rootCA.conf -- used for Root CA req and ca[b/]
interCA.conf -- used for Signing CA req and ca[b/]
email.conf -- used for user's certificate req

server.conf -- used for server's certificate req

The windows version of the above files used in this thread are as follows:

rootCA.conf
# Simple Root CA # The [default] section contains global constants that can be referred to from # the entire configuration file. It may also hold settings pertaining to more # than one openssl command. [ default ] ca = rootCA # CA name dir = . # Top dir # The next part of the configuration file is used by the openssl req command. # It defines the CA's key pair, its DN, and the desired extensions for the CA # certificate. [ req ] default_bits = 2048 # RSA key size encrypt_key = yes # Protect private key default_md = sha1 # MD to use utf8 = yes # Input is UTF-8 string_mask = utf8only # Emit UTF-8 strings prompt = no # Don't prompt for DN distinguished_name = ca_dn # DN section req_extensions = ca_reqext # Desired extensions [ ca_dn ] 0.domainComponent = "org" 1.domainComponent = "simple" organizationName = "Simple Inc" organizationalUnitName = "Simple Root CA" commonName = "Simple Root CA" [ ca_reqext ] keyUsage = critical,keyCertSign,cRLSign basicConstraints = critical,CA:true subjectKeyIdentifier = hash # The remainder of the configuration file is used by the openssl ca command. # The CA section defines the locations of CA assets, as well as the policies # applying to the CA. [ ca ] default_ca = root_ca # The default CA section [ root_ca ] certificate = $dir/myCA/$ca.crt # The CA cert private_key = $dir/myCA/$ca/$ca.key # CA private key new_certs_dir = $dir/myCA/$ca # Certificate archive serial = $dir/myCA/$ca/$ca.srl # Serial number file crlnumber = $dir/myCA/$ca/$ca.crl # CRL number file database = $dir/myCA/$ca/$ca.db # Index file unique_subject = no # Require unique subject default_days = 3652 # How long to certify for default_md = sha1 # MD to use policy = match_pol # Default naming policy email_in_dn = no # Add email to cert DN preserve = no # Keep passed DN ordering name_opt = ca_default # Subject DN display options cert_opt = ca_default # Certificate display options copy_extensions = none # Copy extensions from CSR x509_extensions = signing_ca_ext # Default cert extensions default_crl_days = 365 # How long before next CRL crl_extensions = crl_ext # CRL extensions # Naming policies control which parts of a DN end up in the certificate and # under what circumstances certification should be denied. [ match_pol ] domainComponent = match # Must match 'simple.org' organizationName = match # Must match 'Simple Inc' organizationalUnitName = optional # Included if present commonName = supplied # Must be present [ any_pol ] domainComponent = optional countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = optional emailAddress = optional # Certificate extensions define what types of certificates the CA is able to # create. [ root_ca_ext ] keyUsage = critical,keyCertSign,cRLSign basicConstraints = critical,CA:true subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always [ signing_ca_ext ] keyUsage = critical,keyCertSign,cRLSign basicConstraints = critical,CA:true,pathlen:0 subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always # CRL extensions exist solely to point to the CA certificate that has issued # the CRL. [ crl_ext ] authorityKeyIdentifier = keyid:always

interCA.conf
# Simple Signing CA # The [default] section contains global constants that can be referred to from # the entire configuration file. It may also hold settings pertaining to more # than one openssl command. [ default ] ca = interCA # CA name dir = . # Top dir # The next part of the configuration file is used by the openssl req command. # It defines the CA's key pair, its DN, and the desired extensions for the CA # certificate. [ req ] default_bits = 2048 # RSA key size encrypt_key = yes # Protect private key default_md = sha1 # MD to use utf8 = yes # Input is UTF-8 string_mask = utf8only # Emit UTF-8 strings prompt = no # Don't prompt for DN distinguished_name = ca_dn # DN section req_extensions = ca_reqext # Desired extensions [ ca_dn ] 0.domainComponent = "org" 1.domainComponent = "simple" organizationName = "Simple Inc" organizationalUnitName = "Simple Signing CA" commonName = "Simple Signing CA" [ ca_reqext ] keyUsage = critical,keyCertSign,cRLSign basicConstraints = critical,CA:true,pathlen:0 subjectKeyIdentifier = hash # The remainder of the configuration file is used by the openssl ca command. # The CA section defines the locations of CA assets, as well as the policies # applying to the CA. [ ca ] default_ca = signing_ca # The default CA section [ signing_ca ] certificate = $dir/myCA/$ca.crt # The CA cert private_key = $dir/myCA/$ca/$ca.key # CA private key new_certs_dir = $dir/myCA/$ca # Certificate archive serial = $dir/myCA/$ca/$ca.srl # Serial number file crlnumber = $dir/myCA/$ca/$ca.crl # CRL number file database = $dir/myCA/$ca/$ca.db # Index file unique_subject = no # Require unique subject default_days = 730 # How long to certify for default_md = sha1 # MD to use policy = match_pol # Default naming policy email_in_dn = no # Add email to cert DN preserve = no # Keep passed DN ordering name_opt = ca_default # Subject DN display options cert_opt = ca_default # Certificate display options copy_extensions = copy # Copy extensions from CSR x509_extensions = email_ext # Default cert extensions default_crl_days = 7 # How long before next CRL crl_extensions = crl_ext # CRL extensions # Naming policies control which parts of a DN end up in the certificate and # under what circumstances certification should be denied. [ match_pol ] domainComponent = match # Must match 'simple.org' organizationName = match # Must match 'Simple Inc' organizationalUnitName = optional # Included if present commonName = supplied # Must be present [ any_pol ] domainComponent = optional countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = optional emailAddress = optional # Certificate extensions define what types of certificates the CA is able to # create. [ email_ext ] keyUsage = critical,digitalSignature,keyEncipherment basicConstraints = CA:false extendedKeyUsage = emailProtection,clientAuth subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always [ server_ext ] keyUsage = critical,digitalSignature,keyEncipherment basicConstraints = CA:false extendedKeyUsage = serverAuth,clientAuth subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always # CRL extensions exist solely to point to the CA certificate that has issued # the CRL. [ crl_ext ] authorityKeyIdentifier = keyid:always

email.conf
# Email certificate request # This file is used by the openssl req command. Since we cannot know the DN in # advance the user is prompted for DN information. [ req ] default_bits = 2048 # RSA key size encrypt_key = yes # Protect private key default_md = sha1 # MD to use utf8 = yes # Input is UTF-8 string_mask = utf8only # Emit UTF-8 strings prompt = yes # Prompt for DN distinguished_name = email_dn # DN template req_extensions = email_reqext # Desired extensions [ email_dn ] 0.domainComponent = "1. Domain Component (eg, com) " 1.domainComponent = "2. Domain Component (eg, company) " 2.domainComponent = "3. Domain Component (eg, pki) " organizationName = "4. Organization Name (eg, company) " organizationalUnitName = "5. Organizational Unit Name (eg, section) " commonName = "6. Common Name (eg, full name)" commonName_max = 64 emailAddress = "7. Email Address (eg, name@fqdn)" emailAddress_max = 40 [ email_reqext ] keyUsage = critical,digitalSignature,keyEncipherment extendedKeyUsage = emailProtection,clientAuth subjectKeyIdentifier = hash subjectAltName = email:move

server.conf
# TLS server certificate request # This file is used by the openssl req command. The subjectAltName cannot be # prompted for and must be specified in the SAN environment variable. [ default ] SAN = DNS:yourdomain.tld # Default value [ req ] default_bits = 2048 # RSA key size encrypt_key = no # Protect private key default_md = sha1 # MD to use utf8 = yes # Input is UTF-8 string_mask = utf8only # Emit UTF-8 strings prompt = yes # Prompt for DN distinguished_name = server_dn # DN template req_extensions = server_reqext # Desired extensions [ server_dn ] 0.domainComponent = "1. Domain Component (eg, com) " 1.domainComponent = "2. Domain Component (eg, company) " 2.domainComponent = "3. Domain Component (eg, pki) " organizationName = "4. Organization Name (eg, company) " organizationalUnitName = "5. Organizational Unit Name (eg, section) " commonName = "6. Common Name (eg, FQDN) " commonName_max = 64 [ server_reqext ] keyUsage = critical,digitalSignature,keyEncipherment extendedKeyUsage = serverAuth,clientAuth subjectKeyIdentifier = hash #subjectAltName = $ENV::SAN

References:

Next Post: Create Your Own Signing CA (Certificate Authority)  authen  09/12/2015 12:11:36 AM

Previous Post: Preparations  authen  09/11/2015 11:04:29 PM

Next Topic: Apache Cassandra  EricJ  09/29/2015 02:23:29 AM

Previous Topic: Regular expression with examples  Alex_Raj  08/07/2015 12:55:27 AM

Index: by Date

Index: by Topic