Setting up a certificate authority using openssl

Setting up an own certificate authority is easier than the openssl documentation may imply.
In this demonstration, openssl 0.9.8k has been used

  1. Create support files for the certificate authority
    $ touch ca.db.index
    $ echo "01" >ca.db.serial
    
  2. Create the openssl configuration file ca.config
    default_ca=CA_default
    [ CA_default ]
    dir=.
    certs=.
    new_certs_dir=.
    database=ca.db.index
    serial=ca.db.serial
    RANDFILE=ca.db.rand
    certificate=ca.crt
    private_key=ca.key
    default_days=365
    default_crl_days=30
    default_md=md5
    preserve=no
    policy=policy_anything
    x509_extensions=certificate_extensions
    [ policy_anything ]
    countryName= optional
    stateOrProvinceName= optional
    localityName= optional
    organizationName= optional
    organizationalUnitName= optional
    commonName= optional
    emailAddress= optional
    [ certificate_extensions ]
    basicConstraints=CA:false
    [ req ]
    default_bits=1024
    default_keyfile=ca.key
    default_md=sha1
    prompt=yes
    distinguished_name=acme_ca
    x509_extensions=root_ca_extensions
    [ acme_ca ]
    commonName=ACME Root CA
    stateOrProvinceName=Rainbow
    countryName=DE
    emailAddress=info@invalid.example
    organizationalUnitName=ACME Root CA
    [ root_ca_extensions ]
    basicConstraints=CA:true
    
  3. Create the certificate authority key and certificate
    For some odd reason you can not hit return accepting default values, reenter one of them

    $ mypasswd=$(dd if=/dev/urandom ibs=1024 count=1 2>/dev/null | openssl passwd stdin)
    $ echo $mypasswd >ca.key.passphrase
    $ openssl genrsa -aes256 -passout pass:$mypasswd -out ca.key 4096
    $ openssl req -sha256 -new -x509 -days 3650 -key ca.key -out ca.crt -config ca.config -passin pass:$mypasswd
    
  4. Create a certificate signing request (for our CA to sign)
    Preferably, you do this in another directory as not to to get confused.
    Enter all data as requested, with the common name (CN) being signme.com

    $ mycn=signme.com
    $ mypasswd=$(dd if=/dev/urandom ibs=1024 count=1  2>/dev/null | openssl passwd stdin)
    $ echo $mypasswd >$mycn.key.passphrase
    $ openssl genrsa -aes256 -passout pass:$mypasswd -out $mycn.key 4096
    $ openssl rsa -in $mycn.key -out $mycn.key.decrypted -passin pass:$mypasswd
    $ openssl req -sha256 -new -key $mycn.key -out $mycn.csr -passin pass:$mypasswd
    
  5. Sign the certificate signing request
    Now the example certificate signing request can be signed by the newly created certificate authority

    $ name=signme.com
    $ password=$(cat ca.key.passphrase)
    $ openssl ca -config ./ca.config -passin pass:$password -out $name.crt -infiles $name.csr
    
  6. What the heck are all these files in the CA directory
    • ca.config
      the certificate authority configuration file
    • ca.key
      the certificate authority key file
    • ca.key.passphrase
      the certificate authority key file passphrase
    • ca.crt
      the certificate authority certificate (selfsigned)
    • ca.db.index
      keeps track of which certificate signing requests you have signed
    • ca.db.index.attr
      keeps a configuration item for ca.db.index
    • ca.db.serial
      serial number iterator
    • signme.com.crt
      the signed certificate
    • signme.com.csr
      the certificate signing request
    • 01.pem
      (same as signme.crt as this was the first signed certificate)
  7. Verify that the root certificate authority has actually signed the signing certificate request
    $ openssl verify -CAfile ca.crt signme.com.crt
    
  8. Create a certificate revokation list
    $ password=$(cat ca.key.passphrase)
    $ openssl ca -gencrl -config ./ca.config -passin pass:$password -keyfile ca.key -cert ca.crt -out ca_crl.crt
    
  9. Revoke a certificate signed by the root certificate authority
    This will put the “bad” certificate into the certificate revokation list of the root certificate authority

    $ openssl ca -config ./ca.config -passin pass:$password -revoke signme.com.crt -keyfile ca.key -cert ca.crt
    $ password=$(cat ca.key.passphrase)
    

That was it. You can now run your own certificate authority

Advertisements

3 thoughts on “Setting up a certificate authority using openssl

  1. openssl genrsa and rsa have been superseded by genpkey:

    openssl genpkey -algorithm rsa -aes-256-cbc -out $mycn.key -pkeyopt rsa_keygen_bits:2048 -pass env:mypasswd

    should be the proper replacement

    • Thank you very much for the hint! The guide was written back when openssl 0.9.8k was still the latest openssl but I hope to update the article in the future.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s