01/08/13

Setting up a certificate authority using openssl | Simple Things

Simple Things
Ink and Incapability

Setting up a certificate authority using openssl

Setting up an own certificate authority is easier than the openssl documentation may imply. In this demonstration, openssl 0.9.8k has been used 1. Create support files for the certificate authority 1 2 $t o u c hc a . d b . i n d e x $e c h o& q u o t ; 0 1 & q u o t ;& g t ; c a . d b . s e r i a l

2. Create the openssl configuration file ca.config 1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 3 0 3 1 d e f a u l t _ c a = C A _ d e f a u l t [C A _ d e f a u l t] d i r = . c e r t s = . n e w _ c e r t s _ d i r = . d a t a b a s e = c a . d b . i n d e x s e r i a l = c a . d b . s e r i a l R A N D F I L E = c a . d b . r a n d c e r t i f i c a t e = c a . c r t p r i v a t e _ k e y = c a . k e y d e f a u l t _ d a y s = 3 6 5 d e f a u l t _ c r l _ d a y s = 3 0 d e f a u l t _ m d = m d 5 p r e s e r v e = n o p o l i c y = p o l i c y _ a n y t h i n g x 5 0 9 _ e x t e n s i o n s = c e r t i f i c a t e _ e x t e n s i o n s [p o l i c y _ a n y t h i n g] c o u n t r y N a m e =o p t i o n a l s t a t e O r P r o v i n c e N a m e =o p t i o n a l l o c a l i t y N a m e =o p t i o n a l o r g a n i z a t i o n N a m e =o p t i o n a l o r g a n i z a t i o n a l U n i t N a m e =o p t i o n a l c o m m o n N a m e =o p t i o n a l e m a i l A d d r e s s =o p t i o n a l [c e r t i f i c a t e _ e x t e n s i o n s] b a s i c C o n s t r a i n t s = C A : f a l s e [r e q] d e f a u l t _ b i t s = 1 0 2 4 d e f a u l t _ k e y f i l e = c a . k e y d e f a u l t _ m d = s h a 1 p r o m p t = y e s

1/4

hexeract.wordpress.com/2009/04/16/60/

01/08/13

Setting up a certificate authority using openssl | Simple Things

3 2 3 3 3 4 3 5 3 6 3 7 3 8 3 9 4 0 4 1

d i s t i n g u i s h e d _ n a m e = a c m e _ c a x 5 0 9 _ e x t e n s i o n s = r o o t _ c a _ e x t e n s i o n s [a c m e _ c a] c o m m o n N a m e = A C M ER o o tC A s t a t e O r P r o v i n c e N a m e = R a i n b o w c o u n t r y N a m e = D E e m a i l A d d r e s s = i n f o @ i n v a l i d . e x a m p l e o r g a n i z a t i o n a l U n i t N a m e = A C M ER o o tC A [r o o t _ c a _ e x t e n s i o n s] b a s i c C o n s t r a i n t s = C A : t r u e

3. Create the certificate authority key and certificate For some odd reason you can not hit return accepting default values, reenter one of them 1 2 3 4

$m y p a s s w d = $ ( d di f = / d e v / u r a n d o mi b s = 1 0 2 4c o u n t = 1 2 & a m p ; g t ; / d e v / n u l l| $e c h o$ m y p a s s w d& a m p ; g t ; c a . k e y . p a s s p h r a s e $o p e n s s lg e n r s ad e s 3p a s s o u tp a s s : $ m y p a s s w do u tc a . k e y4 0 9 6 $o p e n s s lr e qn e wx 5 0 9d a y s3 6 5 0k e yc a . k e yo u tc a . c r tc o n f i gc a .

4. Create a certificate signing request (for our CA to sign) Preferably, you do this in another directory as not to to get confused. Enter all data as requested, with the common name (CN) being signme.com 1 2 3 4 5 6

$m y c n = s i g n m e . c o m $m y p a s s w d = $ ( d di f = / d e v / u r a n d o mi b s = 1 0 2 4c o u n t = 1 2 & a m p ; g t ; / d e v / n u l l| $e c h o$ m y p a s s w d& a m p ; g t ; $ m y c n . k e y . p a s s p h r a s e $o p e n s s lg e n r s ad e s 3p a s s o u tp a s s : $ m y p a s s w do u t$ m y c n . k e y1 0 2 4 $o p e n s s lr s ai n$ m y c n . k e yo u t$ m y c n . k e y . d e c r y p t e dp a s s i np a s s : $ m y p a $o p e n s s lr e qn e wk e y$ m y c n . k e yo u t$ m y c n . c s rp a s s i np a s s : $ m y p a s s w d

5. Sign the certificate signing request Now the example certificate signing request can be signed by the newly created certificate authority 1 2 3

$n a m e = s i g n m e . c o m $p a s s w o r d = $ ( c a tc a . k e y . p a s s p h r a s e ) $o p e n s s lc ac o n f i g. / c a . c o n f i gp a s s i np a s s : $ p a s s w o r do u t$ n a m e . c r t

6. What the heck are all these files in the CA directory ca.config the certificate authority configuration file ca.key the certificate authority key file ca.key.passphrase the certificate authority key file passphrase ca.crt the certificate authority certificate (selfsigned) ca.db.index keeps track of which certificate signing requests you have signed ca.db.index.attr keeps a configuration item for ca.db.index
hexeract.wordpress.com/2009/04/16/60/ 2/4

01/08/13

Setting up a certificate authority using openssl | Simple Things

ca.db.serial serial number iterator signme.com.crt the signed certificate signme.com.csr the certificate signing request 01.pem (same as signme.crt as this was the first signed certificate) 7. Verify that the root certificate authority has actually signed the signing certificate request 1 $o p e n s s lv e r i f yC A f i l ec a . c r ts i g n m e . c o m . c r t

8. Create a certificate revokation list 1 2

$p a s s w o r d = $ ( c a tc a . k e y . p a s s p h r a s e ) $o p e n s s lc ag e n c r lc o n f i g. / c a . c o n f i gp a s s i np a s s : $ p a s s w o r dk e y f i l

9. Revoke a certificate signed by the root certificate authority This will put the bad certificate into the certificate revokation list of the root certificate authority 1 2

$o p e n s s lc ac o n f i g. / c a . c o n f i gp a s s i np a s s : $ p a s s w o r dr e v o k es i g n m e . $p a s s w o r d = $ ( c a tc a . k e y . p a s s p h r a s e )

That was it. You can now run your own certificate authority About these ads
Sponsored by O2

00:00

1 Comment
Jump to comment form | comment rss [?] | trackback uri [?] Anonymous 6.9.09 / 1pm Dont forget to update your crl after revoking a certificate in step 9 (repeat step 8). Reply
hexeract.wordpress.com/2009/04/16/60/ 3/4

01/08/13

Setting up a certificate authority using openssl | Simple Things

Blog at WordPress.com. | The Hemingway Theme. Entries RSS Comments RSS

hexeract.wordpress.com/2009/04/16/60/

4/4