setting up a certificate authority using openssl _ simple things

8/22/2019 Setting Up a Certificate Authority Using Openssl _ Simple Things

1/4

01/08/13 Setting up a certificate authority using openssl | Simple Things

hexeract.wordpress.com/2009/04/16/60/ 1/4

Simple Things

Ink and Incapability

Setting up a certificate authority using openssl

Setting up an own certificate authority is easier than the openssl documentation may imply.In this demonstration, openssl 0.9.8k has been used

1. Create support files for the certificate authority

2. Create the openssl configuration file ca.config

12

$ touch ca.db.index$ echo "01" >ca.db.serial

123456789

1011121314

1516171819202122232425

262728293031

default_ca=CA_default[ CA_default ]dir=.certs=.new_certs_dir=.database=ca.db.indexserial=ca.db.serialRANDFILE=ca.db.randcertificate=ca.crtprivate_key=ca.keydefault_days=365default_crl_days=30default_md=md5preserve=no

policy=policy_anythingx509_extensions=certificate_extensions[ policy_anything ]countryName= optionalstateOrProvinceName= optionallocalityName= optionalorganizationName= optionalorganizationalUnitName= optionalcommonName= optionalemailAddress= optional[ certificate_extensions ]

basicConstraints=CA:false[ req ]default_bits=1024default_keyfile=ca.keydefault_md=sha1prompt=yes
http://hexeract.wordpress.com/http://hexeract.wordpress.com/http://hexeract.wordpress.com/http://hexeract.wordpress.com/http://hexeract.wordpress.com/


2/4



3. Create the certificate authority key and certificateFor some odd reason you can not hit return accepting default values, reenter one of them

4. Create a certificate signing request (for our CA to sign)Preferably, you do this in another directory as not to to get confused.Enter all data as requested, with the common name (CN) being signme.com

5. Sign the certificate signing requestNow the example certificate signing request can be signed by the newly created certificateauthority

6. What the heck are all these files in the CA directoryca.configthe certificate authority configuration fileca.keythe certificate authority key fileca.key.passphrasethe certificate authority key file passphraseca.crtthe certificate authority certificate (selfsigned)ca.db.indexkeeps track of which certificate signing requests you have signedca.db.index.attrkeeps a configuration item for ca.db.index

3233343536373839

4041

distinguished_name=acme_cax509_extensions=root_ca_extensions[ acme_ca ]commonName=ACME Root CAstateOrProvinceName=RainbowcountryName=DEemailAddress=info@invalid.exampleorganizationalUnitName=ACME Root CA

[ root_ca_extensions ]basicConstraints=CA:true

1234

$ mypasswd=$(dd if=/dev/urandom ibs=1024 count=1 2>/dev/nu$ echo $mypasswd >ca.key.passphrase$ openssl genrsa -des3 -passout pass:$mypasswd -out ca.key 4096$ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -confi

123456

$ mycn=signme.com$ mypasswd=$(dd if=/dev/urandom ibs=1024 count=1 2>/dev/nu$ echo $mypasswd >$mycn.key.passphrase$ openssl genrsa -des3 -passout pass:$mypasswd -out $mycn.key 1024$ openssl rsa -in $mycn.key -out $mycn.key.decrypted -passin pass:$ openssl req -new -key $mycn.key -out $mycn.csr -passin pass:$myp

123

$ name=signme.com$ password=$(cat ca.key.passphrase)$ openssl ca -config ./ca.config -passin pass:$password -out $name.


3/4

Sponsored by O2

1 $ openssl verify -CAfile ca.crt signme.com.crt

12

$ password=$(cat ca.key.passphrase)$ openssl ca -gencrl -config ./ca.config -passin pass:$password -k

12

$ openssl ca -config ./ca.config -passin pass:$password -revoke si$ password=$(cat ca.key.passphrase)

About these ads
http://en.wordpress.com/about-these-ads/http://www.youtube.com/user/O2GuruTV?feature=watch


4/4



Blog at WordPress.com. | The Hemingway Theme.

Entries RSS Comments RSS
http://hexeract.wordpress.com/comments/feed/http://hexeract.wordpress.com/feed/http://theme.wordpress.com/themes/hemingway/http://wordpress.com/?ref=footer

setting up a certificate authority using openssl _ simple things

Documents