Difference between revisions of "User:Sfiggins/Self Signed CA Instructions"

Make CA Directory Structure

# mkdir -p /CA/certs /CA/crl /CA/netcerts /CA/private
# touch /CA/index.txt /CA/index.txt.attr /CA/serial
# echo 01 > /CA/serial
# echo "unique_subject = no" > /CA/index.txt.attr

Edit /CA/openssl.cnf

#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#

# This definition stops the following lines choking if HOME isn't
# defined.
HOME			= .
RANDFILE		= $ENV::HOME/.rnd

# Extra OBJECT IDENTIFIER info:
#oid_file		= $ENV::HOME/.oid
oid_section		= new_oids

# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions		= 
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

[ new_oids ]

# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6

####################################################################
[ ca ]
default_ca	= CA_default		# The default ca section

####################################################################
[ CA_default ]

dir		= .			# Where everything is kept
certs		= $dir/certs		# Where the issued certs are kept
crl_dir		= $dir/crl		# Where the issued crl are kept
database	= $dir/index.txt	# database index file.
new_certs_dir	= $dir/newcerts		# default place for new certs.

certificate	= $dir/labrats_ca.pem	# The CA certificate
serial		= $dir/serial 		# The current serial number
crl		= $dir/crl.pem 		# The current CRL
private_key	= $dir/private/labrats_ca.key # The private key
RANDFILE	= $dir/private/.rand	# private random number file

x509_extensions	= usr_cert		# The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt 	= ca_default		# Subject Name options
cert_opt 	= ca_default		# Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions	= crl_ext

default_days	= 7300			# how long to certify for
default_crl_days= 30			# how long before next CRL
default_md	= sha256		# which md to use.
preserve	= no			# keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy		= policy_match

# For the CA policy
[ policy_match ]
countryName		= match
stateOrProvinceName	= optional
organizationName	= match
organizationalUnitName	= match
commonName		= optional
emailAddress		= optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

####################################################################
[ req ]
default_bits		= 2048
default_keyfile 	= privkey.pem
distinguished_name	= req_distinguished_name
attributes		= req_attributes
x509_extensions	= v3_ca	# The extentions to add to the self signed cert

# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret

# This sets a mask for permitted string types. There are several options. 
# default: PrintableString, T61String, BMPString.
# pkix	 : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr

# req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= US
countryName_min			= 2
countryName_max			= 2

stateOrProvinceName		= State or Province Name (full name)
stateOrProvinceName_default	= Colorado

localityName			= Locality Name (eg, city)
localityName_default		= Centennial

0.organizationName		= Organization Name (eg, company)
0.organizationName_default	= Labrats.us

# we can do this but it is not needed normally :-)
#1.organizationName		= Second Organization Name (eg, company)
#1.organizationName_default	= World Wide Web Pty Ltd

organizationalUnitName		= Organizational Unit Name (eg, section)
organizationalUnitName_default	= Labrats.us Certificate Authority

commonName			= Common Name (eg, your name or your server\'s hostname)
commonName_max			= 64

emailAddress			= Email Address
emailAddress_max		= 64

# SET-ex3			= SET extension number 3

[ req_attributes ]
challengePassword		= A challenge password
challengePassword_min		= 4
challengePassword_max		= 20

unstructuredName		= An optional company name

[ usr_cert ]

# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.
# nsCertType			= server

# For an object signing certificate this would be used.
# nsCertType = objsign

# For normal client use this is typical
# nsCertType = client, email

# and for everything including object signing:
# nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.
nsComment			= "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move

# Copy subject details
# issuerAltName=issuer:copy

#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]


# Extensions for a typical CA


# PKIX recommendation.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer:always

# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true

# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign

# Some might want this also
# nsCertType = sslCA, emailCA

# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy

# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF

[ crl_ext ]

# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always

Create the CA Certificate

Generate the CA passphrase

It's far easier to place this into a file, so it is not easily observed in the command history. Be careful of key loggers, though.

# vi passphrase.txt

Generate the private key

# openssl genrsa -aes128 -passout file:passphrase.txt -out labrats_ca.key 2048

Copy the private key to "private"

# mv labrats_ca.key /CA/private

Create the self-signed CA certificate

# openssl req -config /CA/openssl.cnf -x509 -sha256 -new -nodes -key private/labrats_ca.key -days 7300 -out labrats_ca.pem

View the new CA certificate

# openssl x509 -in labrats_ca.pem -text -noout

Create the certificate creation/signing script

# vi /CA/new_cert.sh
# chmod +x /CA/new_cert.sh

Contents of new_cert.sh:

#!/bin/sh
#
# This script makes it easy to issue new certs.
#

if [ "$1" == "" ]; then
    echo "Usage $0 <certificate name>"
    exit 1
fi

openssl req -nodes -newkey rsa:2048 -new -x509 -keyout /CA/certs/$1.pem -out /CA/certs/$1.pem -days 7300 -config /CA/openssl.cnf

openssl x509 -x509toreq -in /CA/certs/$1.pem -signkey /CA/certs/$1.pem -out /CA/tmp.pem -days 7300

openssl ca -config /CA/openssl.cnf -policy policy_anything -out /CA/certs/$1-cert.pem -days 7300 -infiles /CA/tmp.pem

rm -f /CA/tmp.pem

Creating new server certificates

Generating the server certificate, using the new_cert.sh script

# ./new_cert.sh newserver
Generating a 2048 bit RSA private key
....................................................................................................+++
......+++
writing new private key to 'certs/newserver.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [Colorado]:
Locality Name (eg, city) [Centennial]:
Organization Name (eg, company) [Labrats.us]:
Organizational Unit Name (eg, section) [Labrats.us Certificate Authority]:
Common Name (eg, your name or your server's hostname) []:newserver.labrats.us
Email Address []:root@labrats.us

Getting request Private Key
Generating certificate request
Using configuration from openssl.cnf
Enter pass phrase for ./private/labrats_ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 28 (0x1c)
        Validity
            Not Before: Jun 19 16:55:02 2015 GMT
            Not After : Jun 14 16:55:02 2035 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = Colorado
            localityName              = Centennial
            organizationName          = Labrats.us
            organizationalUnitName    = labrats.us Certificate Authority
            commonName                = newserver.labrats.us
            emailAddress              = root@labrats.us
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                24:02:41:A9:81:65:3B:70:F3:1C:20:11:FD:F5:E5:60:EB:0B:55:CD
            X509v3 Authority Key Identifier: 
                keyid:51:52:F1:C8:9B:E4:A6:09:35:FE:F9:35:7D:B5:A7:6E:9F:79:AF:7D
                DirName:/C=US/ST=Colorado/L=Littleton/O=Labrats.us/OU=Labrats.us Certificate Authority/CN=Labrats.us Certificate Authority/emailAddress=root@labrats.us
                serial:B4:82:58:46:C3:6B:D2:A1

Certificate is to be certified until Jun 14 16:55:02 2035 GMT (7300 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Validating the certificate

# ls -l /CA/certs/newserver*
-rw-r--r-- 1 root root 5460 Jun 19 10:55 /CA/certs/newserver-cert.pem
-rw-r--r-- 1 root root 3558 Jun 19 10:54 /CA/certs/newserver.pem

# openssl x509 -in /CA/certs/newserver-cert.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 28 (0x1c)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=Colorado, L=Centennial, O=Labrats.us, OU=Labrats.us Certificate Authority, CN=Labrats.us Certificate Authority/emailAddress=root@labrats.us
        Validity
            Not Before: Jun 19 16:55:02 2015 GMT
            Not After : Jun 14 16:55:02 2035 GMT
        Subject: C=US, ST=Colorado, L=Centennial, O=Labrats.us, OU=Labrats.us Certificate Authority, CN=newserver.labrats.us/emailAddress=root@labrats.us
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:de:bd:94:8c:bf:e5:9f:64:7f:2a:c1:a4:84:fc:
                    cd:3f:c3:71:40:fe:56:1a:05:ab:92:45:4b:d7:14:
                    eb:08:3a:e3:23:80:20:08:5f:4e:fe:d5:53:bd:48:
                    be:c3:be:64:af:7c:05:72:c5:c9:ea:05:ea:70:84:
                    04:d7:45:89:47:33:a2:79:9d:d0:ef:4b:45:ad:45:
                    8d:a5:e7:d2:97:f2:d0:e7:1a:bf:39:41:d8:6a:54:
                    04:cd:19:b2:fc:e8:13:c4:d6:7a:cc:75:52:b8:5a:
                    d2:7d:e9:5c:ab:b1:42:a0:da:04:0e:85:d7:7b:2c:
                    87:60:33:f5:f8:af:57:3b:69:43:95:f7:40:bf:f1:
                    d5:f4:72:cb:3d:19:f7:28:36:54:5e:69:b1:e8:f1:
                    46:a3:fe:13:73:1e:d5:52:ac:70:cc:41:a4:43:01:
                    ef:89:a5:05:d1:7c:da:01:25:63:b4:9f:87:22:46:
                    3f:ab:15:69:cb:e5:ab:e6:68:2a:bc:82:36:68:17:
                    ce:7b:09:ce:d4:f9:0f:45:05:84:a1:ff:9f:48:f0:
                    41:50:ab:0a:92:c1:f1:3a:69:a9:21:24:0e:81:3b:
                    d2:80:d5:ea:c0:54:e0:05:b1:e3:fe:bc:2b:90:7e:
                    5e:92:d4:16:36:a1:4b:dc:c1:a0:99:35:96:d6:91:
                    dd:77
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                24:02:41:A9:81:65:3B:70:F3:1C:20:11:FD:F5:E5:60:EB:0B:55:CD
            X509v3 Authority Key Identifier: 
                keyid:51:52:F1:C8:9B:E4:A6:09:35:FE:F9:35:7D:B5:A7:6E:9F:79:AF:7D
                DirName:/C=US/ST=Colorado/L=Littleton/O=Labrats.us/OU=Labrats.us Certificate Authority/CN=Labrats.us Certificate Authority/emailAddress=root@labrats.us
                serial:B4:82:58:46:C3:6B:D2:A1

    Signature Algorithm: sha256WithRSAEncryption
        4d:7d:7e:07:42:0e:d0:6e:de:a9:80:1b:1e:fe:a1:97:3d:6d:
        cf:29:5f:c6:b0:d2:d9:0c:f0:32:54:58:5e:42:8f:d5:10:70:
        dc:0d:77:3f:45:a7:84:84:98:7d:bf:2b:88:75:1e:39:94:99:
        95:b8:47:5a:a7:91:c7:e4:1a:a5:e1:f8:36:f2:ca:91:ab:46:
        8a:cd:a8:22:13:bd:5c:e0:f1:2c:57:c9:5c:09:d4:8e:8c:ae:
        86:5a:d3:29:24:12:4b:93:92:22:6c:00:41:14:59:7b:12:b1:
        80:f3:30:1f:ac:18:7e:fa:ec:72:ac:b3:0e:35:ed:c8:cc:82:
        86:9e:c1:73:10:b3:d8:8f:71:75:0a:5b:58:92:d3:17:d7:d5:
        c1:7d:45:86:b2:60:e8:5e:32:27:5f:c8:02:3f:ff:75:b0:f6:
        7f:5c:ba:c7:04:e9:8e:70:2f:b9:e5:89:ee:4a:15:e3:e5:82:
        dd:99:48:e8:42:ba:23:75:ff:9c:09:c0:9b:d9:55:6a:a3:31:
        f1:84:a9:ce:3e:9f:52:e5:c3:26:af:cf:b6:3c:0c:b3:98:6b:
        09:d4:f0:84:9c:3c:74:fd:98:eb:02:8e:cc:24:63:32:7f:45:
        b1:02:e0:a7:8f:73:33:41:6e:1b:e9:19:bf:d9:e0:57:98:63:
        84:cc:d4:c4