| |
Create Your Own Signing CA (Certificate Authority) |
|
|
Subject: Create Your Own Signing CA (Certificate Authority)
Author: authen
In response to: Create Your Own Root CA (Certificate Authority)
Posted on: 09/12/2015 12:11:36 AM
Step 1. Create your signing CA's private key
C:\OpenSSL64>openssl genrsa -des3 -out myCA\interCA\ca-private-key.pem 2048
Loading 'screen' into random state - done
Generating RSA private key, 2048 bit long modulus
..........................................................+++
.....................................................+++
unable to write 'random state'
e is 65537 (0x10001)
Enter pass phrase for myCA\interCA\ca-private-key.pem:<passphrase>
Verifying - Enter pass phrase for myCA\interCA\ca-private-key.pem:<passphrase>
C:\OpenSSL64>openssl req -new -key myCA\interCA\ca-private-key.pem
-out myCA\interCA\certnew.csr -config myCA\interCA\interca.conf
Enter pass phrase for myCA\interCA\ca-private-key.pem:<passphrase>
C:\OpenSSL64>openssl ca -in myCA\interCA\certnew.csr -out myCA\interCA\certnew.pem
-keyfile myCA\rootCA\ca-private-key.pem -cert myCA\rootCA\cacert.pem -policy
any_pol -config myCA\rootCA\rootca.conf -extensions signing_ca_ext
Using configuration from myCA\rootCA\rootca.conf
Loading 'screen' into random state - done
Enter pass phrase for myCA\rootCA\ca-private-key.pem:<passphrase>
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 10 17:57:01 2015 GMT
Not After : Sep 9 17:57:01 2025 GMT
Subject:
domainComponent = org
domainComponent = simple
organizationName = Simple Inc
organizationalUnitName = Simple Signing CA
commonName = Simple Signing CA
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
A6:E2:BA:94:77:3B:62:E8:56:8C:CD:A3:AF:5F:C9:FD:29:5A:3A:B5
X509v3 Authority Key Identifier:
keyid:23:51:32:A5:6D:1B:3E:90:7D:3A:8A:09:1E:08:3E:3E:F6:B6:1C:B
8
Certificate is to be certified until Sep 9 17:57:01 2025 GMT (3652 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
C:\OpenSSL64>openssl x509 -in myCA\interCA\certnew.pem -out myCA\interCA\certnew.cer
C:\OpenSSL64>openssl x509 -in myCA\interCA\certnew.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=org, DC=simple, O=Simple Inc, OU=Simple Root CA, CN=Simple Root CA
Validity
Not Before: Sep 10 17:57:01 2015 GMT
Not After : Sep 9 17:57:01 2025 GMT
Subject: DC=org, DC=simple, O=Simple Inc, OU=Simple Signing CA, CN=Simple Signing CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:db:ad:85:25:cd:22:7a:9e:bf:0c:e9:f8:bf:15:
de:01:98:90:c1:91:b0:ac:1e:82:1f:2c:41:53:09:
71:2f:00:26:00:bc:93:5e:c8:33:76:f7:70:a7:08:
6e:ca:e8:33:47:5c:53:22:a8:83:96:b3:24:2c:d0:
f7:4c:1d:d4:3c:30:ed:a9:3d:55:67:51:dc:42:c6:
ad:10:76:9a:0e:b8:fe:ac:ac:63:5f:48:e2:c0:c6:
15:f0:3c:bc:f7:3b:06:2b:6f:f4:75:5a:aa:7d:c0:
6d:93:06:6d:b2:8b:f3:06:83:ff:21:91:9f:ec:bf:
81:b4:ad:80:54:7c:5e:d1:41:b5:c4:58:3f:dc:8d:
46:b3:85:d9:ec:d7:2b:80:d1:10:ce:c9:62:a1:fe:
8b:99:b9:3f:90:d1:4e:11:95:fa:5d:02:9e:03:f5:
d7:83:76:32:55:dc:a9:c8:18:47:f9:63:13:59:8b:
9e:7a:0b:0b:89:80:3a:3b:a5:87:53:d1:c6:11:fd:
e5:e5:6b:e9:6a:4d:bf:ba:86:ac:01:7b:78:1c:ca:
fa:2d:dd:25:7e:15:11:8f:fd:03:42:48:27:2a:19:
8a:44:3e:c3:97:49:9e:53:26:1f:1a:32:61:cc:b6:
83:bb:2d:9a:ee:88:a2:b1:68:a9:84:68:7f:ec:a8:
a1:09
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
A6:E2:BA:94:77:3B:62:E8:56:8C:CD:A3:AF:5F:C9:FD:29:5A:3A:B5
X509v3 Authority Key Identifier:
keyid:23:51:32:A5:6D:1B:3E:90:7D:3A:8A:09:1E:08:3E:3E:F6:B6:1C:B8
Signature Algorithm: sha1WithRSAEncryption
b9:ec:9f:70:2c:45:72:4e:67:59:9b:f8:13:6a:23:aa:6f:98:
cc:b8:1a:ea:da:2b:3a:36:c6:35:9b:1b:e0:9d:2c:42:d8:36:
54:28:21:1a:de:aa:29:7d:70:c8:0c:f6:7b:83:01:c4:6c:31:
4c:6b:99:7c:75:b4:4f:8d:0c:a9:27:37:4a:32:47:72:12:63:
7e:b0:ef:3d:3c:be:21:d3:62:a0:5f:ff:a6:43:85:08:05:d5:
fc:30:cd:dc:31:df:01:f4:3e:1f:83:7e:e0:b1:16:e5:41:2a:
00:ed:67:ed:a3:f1:26:7d:d0:e0:b3:24:37:de:6e:1e:89:1c:
cb:1e:f8:36:17:58:18:ff:ed:88:bc:29:5e:98:d6:5d:4d:27:
87:33:84:64:d5:4f:3f:7d:8e:d8:f0:7a:fc:21:45:75:9b:21:
03:b2:48:9c:3f:51:14:00:12:b6:1b:f2:af:7e:60:86:88:ea:
fd:7e:83:cf:d1:25:ab:5e:2c:8e:14:0e:67:5a:af:a7:92:da:
c4:db:dd:74:31:f0:e0:20:49:97:f5:79:40:49:bc:bb:cd:15:
e7:80:e7:2d:da:e6:7d:8c:ae:b2:27:91:e3:43:4e:cc:40:12:
65:a6:c3:13:d6:63:b0:5c:e5:7f:8d:0d:07:7a:b5:b3:d8:7b:
03:ac:84:0b
>
> On 09/11/2015 11:48:32 PM authen wrote:
Step 1. Create your CA's private key
C:\OpenSSL64>openssl genrsa -des3 -out myCA\rootCA\ca-private-key.pem 2048
Loading 'screen' into random state - done
Generating RSA private key, 2048 bit long modulus
..........................................................+++
.....................................................+++
unable to write 'random state'
e is 65537 (0x10001)
Enter pass phrase for myCA\rootCA\ca-private-key.pem:<passphrase>
Verifying - Enter pass phrase for myCA\rootCA\ca-private-key.pem:<passphrase>
The private key is in 2048 bits and placed in file 'cakey.pem' which is encrypted in des3 with your input passphrase. Keep this file in a safe place like a floppy disk. Here is what the key looks like:
Step 2. Generate your CA's certificate (public key)
C:\OpenSSL64>openssl req -new -x509 -key myCA\rootCA\ca-private-key.pem
-out myCA\rootCA\cacert.pem -days 3650
-config myCA\rootCA\rootca.conf -extensions root_ca_ext
Enter pass phrase for myCA\rootCA\ca-private-key.pem:<passphrase>
Step 3. Sign your CA's certificate
Notice that a root CA's certificate is always a self-signed certificate. This step can be skipped.
Step 4. Trim your CA's certificate
C:\OpenSSL64>openssl x509 -in myCA\rootCA\cacert.pem -out myCA\rootCA\cacert.cer
Step 5. View your CA's certificate
C:\OpenSSL64>openssl x509 -in myCA\rootCA\cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
85:c6:84:81:c3:dc:ca:e6
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=org, DC=simple, O=Simple Inc, OU=Simple Root CA, CN=Simple Ro
ot CA
Validity
Not Before: Sep 10 01:59:57 2015 GMT
Not After : Sep 7 01:59:57 2025 GMT
Subject: DC=org, DC=simple, O=Simple Inc, OU=Simple Root CA, CN=Simple R
oot CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:bf:36:30:df:e6:cf:ac:06:b3:eb:f4:b7:15:f1:
f2:4f:cb:4e:3e:3c:1f:f6:09:4b:31:b4:c4:32:12:
a2:2e:98:38:36:4e:e9:06:99:38:2e:ff:14:a4:fb:
7e:d9:e8:ee:be:6b:a8:83:fd:57:6a:55:b0:66:5f:
28:a7:63:ec:7b:b3:fa:37:f6:3d:06:af:9a:86:24:
ca:0e:f8:d3:eb:a6:5f:d4:74:4c:fd:4f:c4:7e:4c:
a9:ee:8f:65:33:fc:86:73:02:9c:3f:f5:09:c1:54:
4f:4e:3f:cc:83:3b:81:45:04:18:20:23:ec:5e:67:
27:2d:9b:1a:f6:30:59:6b:c5:b4:74:99:35:72:65:
43:86:1b:e5:7f:41:f5:46:e1:51:61:c8:86:b4:af:
64:79:70:12:9c:0a:e2:9a:27:c7:f6:af:0c:76:1a:
93:91:43:50:12:4a:b8:a4:2e:cf:e7:99:1f:7b:db:
ee:ae:0d:92:7e:9b:14:3c:87:80:44:e1:39:b0:db:
8e:74:43:39:eb:0b:b2:f6:24:ef:e3:d5:8e:a5:a7:
c5:b1:aa:17:f3:c1:3b:5a:69:cf:5b:b6:45:dc:1b:
73:6f:21:b2:c2:55:22:5f:a7:c6:55:c1:30:87:f2:
c8:a4:1e:f2:a4:97:eb:b1:a0:d6:53:fd:ca:74:c7:
c6:d5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
23:51:32:A5:6D:1B:3E:90:7D:3A:8A:09:1E:08:3E:3E:F6:B6:1C:B8
X509v3 Authority Key Identifier:
keyid:23:51:32:A5:6D:1B:3E:90:7D:3A:8A:09:1E:08:3E:3E:F6:B6:1C:B
8
Signature Algorithm: sha1WithRSAEncryption
26:ba:a0:c6:93:74:d9:c3:1c:21:75:18:0e:5f:ca:74:9f:77:
fe:77:08:ba:69:f5:4b:14:c2:07:94:9f:26:cc:e8:81:ef:b0:
a1:6d:bd:89:51:4a:ca:54:58:38:18:d2:01:03:43:aa:a4:7b:
89:ec:73:30:da:21:41:a5:70:cd:50:f7:a4:2d:bc:ad:94:eb:
98:50:d2:a8:07:50:70:0a:77:d3:af:f1:8e:9e:9c:5d:06:d1:
2a:54:67:cb:e9:d0:9b:ea:67:3a:e4:2c:d3:87:09:c4:0d:a6:
5d:de:27:71:a6:cd:b0:5e:a4:48:62:73:0b:6d:11:38:93:d6:
2b:17:6d:f4:6d:f5:0e:dd:c3:3d:05:20:63:6d:27:6c:db:c6:
47:81:0d:9e:b6:ec:d4:a5:cc:97:a2:31:e0:3f:90:df:b8:40:
98:95:54:94:33:c4:86:e1:c1:38:c0:a5:f3:d9:78:d2:39:15:
24:55:7f:de:d9:19:f5:d8:3c:b0:45:90:91:1f:84:6f:4a:d8:
4c:91:2c:89:81:1a:c1:2e:59:cd:27:77:95:b8:ef:69:51:2f:
d9:68:04:78:c4:3f:b0:cf:0e:77:7a:54:3d:9e:ae:7d:9b:84:
72:7d:02:98:f3:f8:4c:60:eb:57:ba:6c:90:b7:9c:d9:d2:12:
30:bf:e1:cf
References:
|
|
|
|
