Create your own CA or root CA, subordinate CA

Posted on November 22, 2010

4



You can use openssl to create a self-signed Certificate or to create a Certificate Authority (CA) or to create Subordinate Certificate Authority as a full CA tree. All you need is the openssl package. The Document on openssl is not complete, but what we need is already documented. For all the commands I use I will refer to the openssl doc.
Openssl Documentation:
http://www.openssl.org/docs/apps/openssl.html

1. Root CA

1.1 Set yout enviroment

# mkdir root_ca
# cd root_ca
# cp /etc/ssl/openssl.cnf .
# vi openssl.cnf

Customize the configuration file of openssl for your Root CA.

With your favorite editor you can modify the configuration file of openssl, that is openssl.cnf. This file should you found in /etc/ssl/ folder (at least it is there in Ubuntu). I made some modification only in the default configuration file. See below:

# 21.11.2010 / George - commented out the randfile because it will be in the private folder.
#RANDFILE = $ENV::HOME/.rnd
...
# 21.11.2010 / George - changed the dir directory to local directory
dir = . # Where everything is kept

Tipp: If you modify your config file, it is usefull to put the date of the modification your name and a short comment what and why you did.

# mkdir certs
# mkdir crl
# mkdir newcerts
# mkdir private
# touch serial
# echo 0100 > serial
# touch index.txt
# touch crlnumber
# echo 0100 > crlnumber

1.2 Generate random numbers

# openssl rand -out ./private/.rand 1024

1.3 Generate your RSA keypair with your password (keysize will be 2048 bit)

# openssl genrsa -out ./private/cakey.pem -des3 -rand ./private/.rand 2048
1024 semi-random bytes loaded
Generating RSA private key, 2048 bit long modulus
.............................+++
..+++
e is 65537 (0x10001)
Enter pass phrase for ./private/cakey.pem: root1234
Verifying - Enter pass phrase for ./private/cakey.pem: root1234 

1.4 Create a self-signed certificate

# openssl req -x509 -new -key ./private/cakey.pem -out cacert.pem -config openssl.cnf
Enter pass phrase for ./private/cakey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:HU
State or Province Name (full name) [Some-State]:Budapest
Locality Name (eg, city) []:Budapest
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
Organizational Unit Name (eg, section) []:Security
Common Name (eg, YOUR name) []:rootca
Email Address []:info@mycompany.hu 

2. Subordinate CA
2.1 Set yout enviroment

# mkdir sub_ca
# cd sub_ca
# cp /etc/ssl/openssl.cnf .
# vi openssl.cnf 

Customize the configuration file of openssl for your Subordinate CA.

# 21.11.2010 / George - commented out the randfile because it will be in the private folder.
#RANDFILE = $ENV::HOME/.rnd
...
# 21.11.2010 / George - changed the dir directory to local directory
dir = . # Where everything is kept

For this CA we need the following folders and files as well:

# mkdir certs
# mkdir crl
# mkdir newcerts
# mkdir private
# touch serial
# echo 0100 > serial
# touch index.txt
# touch crlnumber
# echo 0100 > crlnumber 

2.2 Generate random numbers

# openssl rand -out ./private/.rand 1024 

2.3 Generate your RSA keypair with your password (keysize will be 2048 bit)

# openssl genrsa -out ./private/cakey.pem -des3 -rand ./private/.rand 2048
1024 semi-random bytes loaded
Generating RSA private key, 2048 bit long modulus
.............................+++
....+++
e is 65537 (0x10001)
Enter pass phrase for ./private/cakey.pem: sub1234
Verifying - Enter pass phrase for ./private/cakey.pem: sub1234 

2.4 Create a certificate request

# openssl req -new -key ./private/cakey.pem -out subcareq.pem -config openssl.cnf
Enter pass phrase for ./private/cakey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:HU
State or Province Name (full name) [Some-State]:Budapest
Locality Name (eg, city) []:Budapest
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
Organizational Unit Name (eg, section) []:Security
Common Name (eg, YOUR name) []:subca
Email Address []:info@mycompany.hu
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:

3. Sign the subca certificate request with root CA.

The only differency in signing a certificate to be a ca certificate is an extension that is defined with v3_ca. Lets quote from the official dokumentation of openssl to understand it:

“The basicConstraints extension CA flag is used to determine whether the certificate can be used as a CA. If the CA flag is true then it is a CA, if the CA flag is false then it is not a CA. All CAs should have the CA flag set to true.

If the basicConstraints extension is absent then the certificate is considered to be a “possible CA” other extensions are checked according to the intended use of the certificate. A warning is given in this case because the certificate should really not be regarded as a CA: however it is allowed to be a CA to work around some broken software.”

# cd ../root_ca/
# openssl ca -in ../sub_ca/subcareq.pem -extensions v3_ca -config openssl.cnf
Using configuration from openssl.cnf
Enter pass phrase for ./private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 256 (0x100)
Validity
Not Before: Nov 21 20:52:41 2010 GMT
Not After : Nov 21 20:52:41 2011 GMT
Subject:
countryName = HU
stateOrProvinceName = Budapest
organizationName = My Company
organizationalUnitName = Security
commonName = subca
emailAddress = info@mycompany.hu
X509v3 extensions:
X509v3 Subject Key Identifier:
B5:6E:8C:8C:DC:EE:91:31:B2:EA:40:C1:F0:F3:89:F9:04:3F:04:8D
X509v3 Authority Key Identifier:
keyid:35:F2:79:BA:53:4C:F6:C3:A6:CF:02:A3:2E:9E:CC:B2:A8:81:1D:5E
DirName:/C=HU/ST=Budapest/L=Budapest/O=My Company/OU=Security/CN=rootca/emailAddress=info@mycompany.hu
serial:AE:5D:58:9B:D0:71:E5:49
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Nov 21 20:52:41 2011 GMT (365 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 256 (0x100)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=HU, ST=Budapest, L=Budapest, O=My Company, OU=Security, CN=rootca/emailAddress=info@mycompany.hu
Validity
Not Before: Nov 21 20:52:41 2010 GMT
Not After : Nov 21 20:52:41 2011 GMT
Subject: C=HU, ST=Budapest, O=My Company, OU=Security, CN=subca/emailAddress=info@mycompany.hu
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c0:ea:3b:38:81:8d:b9:4a:21:09:e8:ff:6d:14:
e7:bd:85:62:36:a5:2c:09:1a:0a:f4:0e:6d:78:07:
61:96:88:a2:81:d5:e4:a2:3c:97:05:87:14:23:ef:
9c:71:4d:f7:f8:5f:3d:0b:c5:96:76:28:b4:77:fe:
56:2d:f3:29:e8:cc:d9:62:90:5f:bd:af:63:bc:b3:
7e:8a:a1:74:5c:80:50:13:08:14:2b:6d:df:e6:2c:
ef:c1:2e:a0:a4:0a:5e:fc:dd:a0:ed:26:d7:7f:d4:
fd:91:72:97:55:aa:c6:98:29:cf:c3:d3:d4:3d:f1:
54:d9:e7:d8:e3:5a:4e:7c:b7:ee:35:5f:c5:96:e3:
fc:eb:89:96:0b:ec:45:fc:83:d7:88:f0:8e:d0:54:
11:ca:0c:63:1f:75:47:74:44:f2:71:02:93:bb:ed:
fe:9e:57:9e:0a:6f:23:f3:53:13:8e:01:85:e0:73:
64:51:9a:e2:dd:71:46:5d:f3:6b:ca:97:39:48:4c:
75:24:aa:84:c6:37:71:d6:98:18:be:a1:bf:e9:e1:
9a:b4:ea:c2:a7:f7:e0:7e:08:45:f7:bd:2d:1c:07:
90:31:4c:2a:29:f2:9b:6d:95:e1:1b:d0:1f:d0:fc:
cd:bc:72:58:11:ae:a7:64:98:60:88:a2:b1:f7:30:
c9:1d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
B5:6E:8C:8C:DC:EE:91:31:B2:EA:40:C1:F0:F3:89:F9:04:3F:04:8D
X509v3 Authority Key Identifier:
keyid:35:F2:79:BA:53:4C:F6:C3:A6:CF:02:A3:2E:9E:CC:B2:A8:81:1D:5E
DirName:/C=HU/ST=Budapest/L=Budapest/O=My Company/OU=Security/CN=rootca/emailAddress=info@mycompany.hu
serial:AE:5D:58:9B:D0:71:E5:49
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
b8:13:9c:7c:83:c7:be:f8:d3:74:b3:82:b7:d3:92:0f:4e:cb:
b2:cb:14:94:f9:01:26:de:5c:ad:c4:16:7f:e0:35:5a:70:cd:
d1:98:11:93:84:ba:55:4a:78:30:49:2b:24:52:9c:a0:51:26:
33:bc:8b:c2:bc:8a:c2:20:0a:6c:eb:69:13:be:ef:df:96:53:
ac:7b:39:c1:44:c3:73:f4:4b:72:e1:5d:6d:3f:fa:f9:6d:c4:
d4:29:56:4c:e9:e8:dc:5a:7d:a4:31:16:f4:0d:da:ab:c1:76:
4d:e8:4b:36:b6:c7:4e:fc:f6:f8:cc:73:2c:b1:0e:e0:e0:36:
a0:e6:9b:2a:bc:1d:73:b4:30:3d:96:b8:95:be:e7:2a:9a:6c:
f2:b0:08:7e:eb:a1:a4:4d:cd:d0:c2:c6:03:dc:ad:f7:dc:92:
e6:91:a5:0c:70:eb:4b:8b:13:c7:ad:e8:c2:86:96:4b:94:f2:
c4:b3:ce:87:c8:32:df:16:94:85:27:be:ee:4f:bf:b5:00:64:
01:0d:d0:e5:90:44:18:47:86:98:f8:4d:2a:68:88:b2:f0:27:
3c:5b:26:40:0d:18:e9:18:7b:e9:fb:ca:ca:1d:ce:b5:c3:fb:
5d:52:81:df:05:08:0f:ec:45:95:04:e9:c2:1d:e2:2c:4a:90:
a9:e8:54:49
-----BEGIN CERTIFICATE-----
MII…here should be the certificate request…
-----END CERTIFICATE-----
Data Base Updated

and just copy the subordinate CA certificate to the sub_ca directory

# cd ../subca/
# cp ../root_ca/newcerts/0100.pem cacert.pem

You can now create a Certificate for clients, servers from subordinate CA or root CA as you need.
As an example, with the following command you can sign a client certificate.

# openssl ca -in client_req.pem -out client_cert.pem -config openssl.cnf

And on the newly signed certificates – you generate later – you can see that they are not CAs:

# openssl x509 -in server_cert.pem -noout -text
...
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
...

Some conversion commands, if the certificate should be somewhere imported:

Convert a DER file (.crt .cer .der) to PEM

# openssl x509 -inform der -in certificate.cer -out certificate.pem

Convert a PEM file to DER

# openssl x509 -outform der -in certificate.pem -out certificate.der

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM

# openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

You can add -nocerts to only output the private key or add -nokeys to only output the certificates.
Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)

# openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

..

Advertisements
Posted in: Linux, openssl, Security, tools