User:Sfiggins/Self Signed CA Instructions
From Labrats.us
Jump to navigationJump to searchMake CA Directory Structure
# mkdir -p /CA/certs /CA/crl /CA/netcerts /CA/private # touch /CA/index.txt /CA/index.txt.attr /CA/serial # echo 01 > /CA/serial # echo "unique_subject = no" > /CA/index.txt.attr
Edit /CA/openssl.cnf
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = . # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/labrats_ca.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/labrats_ca.key # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 7300 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = match
commonName = optional
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Colorado
localityName = Locality Name (eg, city)
localityName_default = Centennial
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Labrats.us
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Labrats.us Certificate Authority
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
Create the CA Certificate
Generate the CA passphrase
It's far easier to place this into a file, so it is not easily observed in the command history. Be careful of key loggers, though.
# vi passphrase.txt
Generate the private key
# openssl genrsa -aes128 -passout file:passphrase.txt -out labrats_ca.key 2048
Copy the private key to "private"
# mv labrats_ca.key /CA/private
Create the self-signed CA certificate
# openssl req -config /CA/openssl.cnf -x509 -sha256 -new -nodes -key private/labrats_ca.key -days 7300 -out labrats_ca.pem
View the new CA certificate
# openssl x509 -in labrats_ca.pem -text -noout
Create the certificate creation/signing script
# vi /CA/new_cert.sh # chmod +x /CA/new_cert.sh
Contents of new_cert.sh:
#!/bin/sh
#
# This script makes it easy to issue new certs.
#
if [ "$1" == "" ]; then
echo "Usage $0 <certificate name>"
exit 1
fi
openssl req -nodes -newkey rsa:2048 -new -x509 -keyout /CA/certs/$1.pem -out /CA/certs/$1.pem -days 7300 -config /CA/openssl.cnf
openssl x509 -x509toreq -in /CA/certs/$1.pem -signkey /CA/certs/$1.pem -out /CA/tmp.pem -days 7300
openssl ca -config /CA/openssl.cnf -policy policy_anything -out /CA/certs/$1-cert.pem -days 7300 -infiles /CA/tmp.pem
rm -f /CA/tmp.pem
Creating new server certificates
Generating the server certificate, using the new_cert.sh script
# ./new_cert.sh newserver
Generating a 2048 bit RSA private key
....................................................................................................+++
......+++
writing new private key to 'certs/newserver.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [Colorado]:
Locality Name (eg, city) [Centennial]:
Organization Name (eg, company) [Labrats.us]:
Organizational Unit Name (eg, section) [Labrats.us Certificate Authority]:
Common Name (eg, your name or your server's hostname) []:newserver.labrats.us
Email Address []:root@labrats.us
Getting request Private Key
Generating certificate request
Using configuration from openssl.cnf
Enter pass phrase for ./private/labrats_ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 28 (0x1c)
Validity
Not Before: Jun 19 16:55:02 2015 GMT
Not After : Jun 14 16:55:02 2035 GMT
Subject:
countryName = US
stateOrProvinceName = Colorado
localityName = Centennial
organizationName = Labrats.us
organizationalUnitName = labrats.us Certificate Authority
commonName = newserver.labrats.us
emailAddress = root@labrats.us
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
24:02:41:A9:81:65:3B:70:F3:1C:20:11:FD:F5:E5:60:EB:0B:55:CD
X509v3 Authority Key Identifier:
keyid:51:52:F1:C8:9B:E4:A6:09:35:FE:F9:35:7D:B5:A7:6E:9F:79:AF:7D
DirName:/C=US/ST=Colorado/L=Littleton/O=Labrats.us/OU=Labrats.us Certificate Authority/CN=Labrats.us Certificate Authority/emailAddress=root@labrats.us
serial:B4:82:58:46:C3:6B:D2:A1
Certificate is to be certified until Jun 14 16:55:02 2035 GMT (7300 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Validating the certificate
# ls -l /CA/certs/newserver*
-rw-r--r-- 1 root root 5460 Jun 19 10:55 /CA/certs/newserver-cert.pem
-rw-r--r-- 1 root root 3558 Jun 19 10:54 /CA/certs/newserver.pem
# openssl x509 -in /CA/certs/newserver-cert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 28 (0x1c)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Colorado, L=Centennial, O=Labrats.us, OU=Labrats.us Certificate Authority, CN=Labrats.us Certificate Authority/emailAddress=root@labrats.us
Validity
Not Before: Jun 19 16:55:02 2015 GMT
Not After : Jun 14 16:55:02 2035 GMT
Subject: C=US, ST=Colorado, L=Centennial, O=Labrats.us, OU=Labrats.us Certificate Authority, CN=newserver.labrats.us/emailAddress=root@labrats.us
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:de:bd:94:8c:bf:e5:9f:64:7f:2a:c1:a4:84:fc:
cd:3f:c3:71:40:fe:56:1a:05:ab:92:45:4b:d7:14:
eb:08:3a:e3:23:80:20:08:5f:4e:fe:d5:53:bd:48:
be:c3:be:64:af:7c:05:72:c5:c9:ea:05:ea:70:84:
04:d7:45:89:47:33:a2:79:9d:d0:ef:4b:45:ad:45:
8d:a5:e7:d2:97:f2:d0:e7:1a:bf:39:41:d8:6a:54:
04:cd:19:b2:fc:e8:13:c4:d6:7a:cc:75:52:b8:5a:
d2:7d:e9:5c:ab:b1:42:a0:da:04:0e:85:d7:7b:2c:
87:60:33:f5:f8:af:57:3b:69:43:95:f7:40:bf:f1:
d5:f4:72:cb:3d:19:f7:28:36:54:5e:69:b1:e8:f1:
46:a3:fe:13:73:1e:d5:52:ac:70:cc:41:a4:43:01:
ef:89:a5:05:d1:7c:da:01:25:63:b4:9f:87:22:46:
3f:ab:15:69:cb:e5:ab:e6:68:2a:bc:82:36:68:17:
ce:7b:09:ce:d4:f9:0f:45:05:84:a1:ff:9f:48:f0:
41:50:ab:0a:92:c1:f1:3a:69:a9:21:24:0e:81:3b:
d2:80:d5:ea:c0:54:e0:05:b1:e3:fe:bc:2b:90:7e:
5e:92:d4:16:36:a1:4b:dc:c1:a0:99:35:96:d6:91:
dd:77
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
24:02:41:A9:81:65:3B:70:F3:1C:20:11:FD:F5:E5:60:EB:0B:55:CD
X509v3 Authority Key Identifier:
keyid:51:52:F1:C8:9B:E4:A6:09:35:FE:F9:35:7D:B5:A7:6E:9F:79:AF:7D
DirName:/C=US/ST=Colorado/L=Littleton/O=Labrats.us/OU=Labrats.us Certificate Authority/CN=Labrats.us Certificate Authority/emailAddress=root@labrats.us
serial:B4:82:58:46:C3:6B:D2:A1
Signature Algorithm: sha256WithRSAEncryption
4d:7d:7e:07:42:0e:d0:6e:de:a9:80:1b:1e:fe:a1:97:3d:6d:
cf:29:5f:c6:b0:d2:d9:0c:f0:32:54:58:5e:42:8f:d5:10:70:
dc:0d:77:3f:45:a7:84:84:98:7d:bf:2b:88:75:1e:39:94:99:
95:b8:47:5a:a7:91:c7:e4:1a:a5:e1:f8:36:f2:ca:91:ab:46:
8a:cd:a8:22:13:bd:5c:e0:f1:2c:57:c9:5c:09:d4:8e:8c:ae:
86:5a:d3:29:24:12:4b:93:92:22:6c:00:41:14:59:7b:12:b1:
80:f3:30:1f:ac:18:7e:fa:ec:72:ac:b3:0e:35:ed:c8:cc:82:
86:9e:c1:73:10:b3:d8:8f:71:75:0a:5b:58:92:d3:17:d7:d5:
c1:7d:45:86:b2:60:e8:5e:32:27:5f:c8:02:3f:ff:75:b0:f6:
7f:5c:ba:c7:04:e9:8e:70:2f:b9:e5:89:ee:4a:15:e3:e5:82:
dd:99:48:e8:42:ba:23:75:ff:9c:09:c0:9b:d9:55:6a:a3:31:
f1:84:a9:ce:3e:9f:52:e5:c3:26:af:cf:b6:3c:0c:b3:98:6b:
09:d4:f0:84:9c:3c:74:fd:98:eb:02:8e:cc:24:63:32:7f:45:
b1:02:e0:a7:8f:73:33:41:6e:1b:e9:19:bf:d9:e0:57:98:63:
84:cc:d4:c4
