Managing Certificate Authority

From VVCWiki
Revision as of 01:34, 26 January 2009 by Vvc (talk | contribs) (server)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

This article should help you to run your own certificate authority (CA).

Creating CA

We will keep all files related to our CA in directory /root/CA

openssl.conf

First, we will create OpenSSL configuration file. It can be stored anywere and referenced by environment variable

export OPENSSL_CONF=/root/CA/openssl.conf

Here is my file

[ ca ]
default_ca      = CA_default

[ CA_default ]
dir             = /root/CA
new_certs_dir   = $dir/certs
database        = $dir/index.txt
unique_subject  = no
certificate     = $dir/cacert.pem
private_key     = $dir/private/cakey.pem
serial          = $dir/serial
crl             = $dir/crl.pem
RANDFILE        = $dir/private/.rand
x509_extensions = usr_cert
name_opt        = ca_default
cert_opt        = ca_default
copy_extensions = copy
default_days    = 365
default_crl_days= 35
default_md      = sha1
preserve        = no
policy          = policy_any

[ policy_any ]
countryName             = supplied
stateOrProvinceName     = supplied
localityName            = supplied
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = supplied

[ req ]
default_bits            = 1024
default_md              = sha1
distinguished_name      = req_distinguished_name
prompt                  = no
x509_extensions         = v3_ca

[ req_distinguished_name ]
countryName             = US
stateOrProvinceName     = Virginia
localityName            = Leesburg
organizationName        = Vadym Chepkov
organizationalUnitName  = Vadym Chepkov CA
commonName              = Vadym Chepkov CA
emailAddress            = vvc@chepkov.com

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
keyUsage = critical,keyCertSign,cRLSign
basicConstraints = critical,CA:TRUE,pathlen:1
subjectAltName=email:copy
issuerAltName=issuer:copy
authorityInfoAccess = caIssuers;URI:http://www.chepkov.com/ca.html
crlDistributionPoints=URI:http://www.chepkov.com/vvc-ca.crl

[ intermediate_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
keyUsage = critical,keyCertSign,cRLSign
basicConstraints = critical,CA:TRUE,pathlen:0
subjectAltName=email:copy
issuerAltName=issuer:copy
authorityInfoAccess = caIssuers;URI:http://www.chepkov.com/ca.html
crlDistributionPoints=URI:http://www.chepkov.com/vvc-ca.crl

[ usr_cert ]
basicConstraints = critical,CA:FALSE
keyUsage  = critical,digitalSignature,keyAgreement
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
issuerAltName=issuer:copy
authorityInfoAccess = caIssuers;URI:http://www.chepkov.com/ca.html
crlDistributionPoints=URI:http://www.chepkov.com/vvc-ca.crl

[ server ]
basicConstraints = critical,CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = critical,digitalSignature, keyEncipherment
authorityInfoAccess = caIssuers;URI:http://www.chepkov.com/ca.html
crlDistributionPoints=URI:http://www.chepkov.com/vvc-ca.crl

Creating initial database

cd /root/CA
mkdir certs private
chmod 700 private
echo 01 > serial
touch index.txt index.txt.attr

Creating CA private key

openssl genrsa -out private/cakey.pem 2048

Creating CA certificate request

openssl req -new -key private/cakey.pem -out ca.csr

Self-signing CA certificate

openssl ca -selfsign -in ca.csr -keyfile private/cakey.pem -out cacert.pem -extensions v3_ca -verbose -enddate 361231235959Z

Signing Certificate Request

openssl ca -days 730 -in server.csr -out server.crt -extensions server

Make sure expiration day of the certificate does not exceed expiration day of your certificate authority. You don't have to specify days argument if you want to use default from openssl.conf

Revoking a certificate

openssl ca -revoke cert.pem

Generating Certificate Revocation List (CRL)

openssl ca -gencrl -out crl.pem
openssl crl -in crl.pem -out crl.crl -outform DER