Managing Certificate Authority
From VVCWiki
Jump to navigationJump to search
This article should help you to run your own certificate authority (CA).
Creating CA
We will keep all files related to our CA in directory /root/CA
openssl.conf
First, we will create OpenSSL configuration file. It can be stored anywere and referenced by environment variable
export OPENSSL_CONF=/root/CA/openssl.conf
Here is my file
[ ca ] default_ca = CA_default [ CA_default ] dir = /root/CA new_certs_dir = $dir/certs database = $dir/index.txt unique_subject = no certificate = $dir/cacert.pem private_key = $dir/private/cakey.pem serial = $dir/serial crl = $dir/crl.pem RANDFILE = $dir/private/.rand x509_extensions = usr_cert name_opt = ca_default cert_opt = ca_default copy_extensions = copy default_days = 365 default_crl_days= 35 default_md = sha256 preserve = no policy = policy_any [ policy_any ] countryName = supplied stateOrProvinceName = supplied localityName = supplied organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = supplied [ req ] default_bits = 1024 default_md = sha1 distinguished_name = req_distinguished_name prompt = no x509_extensions = v3_ca [ req_distinguished_name ] countryName = US stateOrProvinceName = Virginia localityName = Leesburg organizationName = Vadym Chepkov organizationalUnitName = Vadym Chepkov CA commonName = Vadym Chepkov CA emailAddress = vvc@chepkov.com [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always keyUsage = critical,keyCertSign,cRLSign basicConstraints = critical,CA:TRUE,pathlen:1 subjectAltName=email:copy issuerAltName=issuer:copy authorityInfoAccess = caIssuers;URI:http://www.chepkov.com/ca.html crlDistributionPoints=URI:http://www.chepkov.com/vvc-ca.crl [ intermediate_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always keyUsage = critical,keyCertSign,cRLSign basicConstraints = critical,CA:TRUE,pathlen:0 subjectAltName=email:copy issuerAltName=issuer:copy authorityInfoAccess = caIssuers;URI:http://www.chepkov.com/ca.html crlDistributionPoints=URI:http://www.chepkov.com/vvc-ca.crl [ usr_cert ] basicConstraints = critical,CA:FALSE keyUsage = critical,digitalSignature,keyAgreement subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer issuerAltName=issuer:copy authorityInfoAccess = caIssuers;URI:http://www.chepkov.com/ca.html crlDistributionPoints=URI:http://www.chepkov.com/vvc-ca.crl [ server ] basicConstraints = critical,CA:FALSE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always extendedKeyUsage=serverAuth keyUsage = critical,digitalSignature, keyEncipherment authorityInfoAccess = caIssuers;URI:http://www.chepkov.com/ca.html crlDistributionPoints=URI:http://www.chepkov.com/vvc-ca.crl
Creating initial database
cd /root/CA mkdir certs private chmod 700 private echo 01 > serial touch index.txt index.txt.attr
Creating CA private key
openssl genrsa -out private/cakey.pem 2048
Creating CA certificate request
openssl req -new -key private/cakey.pem -out ca.csr
Self-signing CA certificate
openssl ca -selfsign -in ca.csr -keyfile private/cakey.pem -out cacert.pem -extensions v3_ca -verbose -enddate 361231235959Z
Signing Certificate Request
openssl ca -days 730 -in server.csr -out server.crt -extensions server
Make sure expiration day of the certificate does not exceed expiration day of your certificate authority. You don't have to specify days argument if you want to use default from openssl.conf
Revoking a certificate
openssl ca -revoke cert.pem
Generating Certificate Revocation List (CRL)
openssl ca -gencrl -out crl.pem openssl crl -in crl.pem -out crl.crl -outform DER