1. How to be a Certificate Authority
Author: Larry Apolonio lapolonio@minihowto.com
Starting from Scratch
Blow Away /usr/share/ssl leaving only openssl.cnf
Top section of openssl.cnf should contain
[ CA_default ]
dir = /usr/share/ssl # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/private/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
cd /usr/share/ssl
mkdir certs crl newcerts private
create a file called serial with the numbers 01
echo "01" > serial
create an empty file called index.txt
touch index.txt
make some of my keys
openssl req -new -x509 -keyout private/cakey.pem -out private/cacert.pem -days 365 -config openssl.cnf
or
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out private/cacert.pem -days 1826 -config openssl.cnf
2a. How to Generate a Key so you can generate a Certificate Request
openssl genrsa -des3 1024 > /etc/httpd/conf/ssl.key/server.key
2b. How to Use the Key to create a certificate request
openssl req -new -key /etc/httpd/conf/ssl.key/server.key -out /etc/httpd/conf/ssl.csr/server.csr
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'Yourstate'
localityName :PRINTABLE:'YourCity'
organizationName :PRINTABLE:'Your Company Name'
organizationalUnitName:PRINTABLE:'Web Stuff'
commonName :PRINTABLE:'www.yourweb.com'
emailAddress :IA5STRING:'person@yourweb.com'
3. How to Process a certificate request
openssl ca -config openssl.cnf -in server.csr -out server.crt
where server.csr is the server request and server.crt is the final certificate
Using configuration from openssl.cnf
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'Yourstate'
localityName :PRINTABLE:'YourCity'
organizationName :PRINTABLE:'Your Company Name'
organizationalUnitName:PRINTABLE:'Web Stuff'
commonName :PRINTABLE:'www.yourweb.com'
emailAddress :IA5STRING:'person@yourweb.com'
4. How to Make the importable certificate
openssl x509 -in /usr/share/ssl/private/cacert.pem -outform DER -out /var/www/html/cert.der
now all one has to do is go to http://www.yourweb.com/cert.der
Convert between der and pem format
openssl x509 -inform der -in cert.der -out cert.pem
Another real quick process (Key not password protected)
Make sure of key and cert location
[root@server conf]# grep server.key httpd.conf
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
[root@server conf]# grep server.crt httpd.conf
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
create key
openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key
protect key
chmod go-rwx /etc/httpd/conf/ssl.key/server.key
create certificate request
umask 77 ; \
openssl req -new -key /etc/httpd/conf/ssl.key/server.key -out /etc/httpd/conf/ssl.csr/server.csr
Here's a nice all in one command that does the above
openssl req -nodes -newkey rsa:1024 -keyout server.key \
-new -out server.csr \
-subj "/C=US/ST=Washington/L=Redmond/O=Some Mega Corp/OU=Security Op/CN=ssl.minihowto.com/emailAddress=lapolonio@minihowto.com"
send the file
/etc/httpd/conf/ssl.csr/server.csr
to CA
CA signs
openssl ca -in server.csr -out server.crt
and sends server.crt back
place server.crt in
/etc/httpd/conf/ssl.crt/server.crt
5. Revoke a certificate
Look for the certificate you want to revoke in
/usr/share/ssl/index.txt
Should be a index number associated with the cert you want to revoke.
Look under "new_certs_dir = $dir/newcerts" and open up and verify that the *.pem file
of the cert you want to revoke is correct.
Now you can revoke the cert. For example if the cert is 08.pem then run the following to
invalidate the cert
openssl ca -revoke 08.pem
Generate the CRL file to hand out
openssl ca -crldays 365 -gencrl -out crl.pem
crl.pem will be valid for 365 days
default is about 30
6. Renewing A certificate
First revoke the old cert. Then sign the requesters original request or have the requester
generate a new request.
7. Renewing the CA (Certificate Authority)
openssl req -new -x509 -key private/cakey.pem -keyout \
private/cakey_new.pem -in cacert.pem -out cacert_new.pem -days 1460
8. Using client certificates
a. For the web server
In section 4 we created an importable certificate. I similar PEM version needs to be created
openssl x509 -in /usr/share/ssl/private/cacert.pem -outform PEM -out /var/www/html/ca.crt
or you can convert the existing one
openssl x509 -inform DER -in cert.der -outform PEM -out ca.crt
On the webserver place the file in /etc/httpd/conf/ssl.crt/ca.crt
vi /etc/httpd/conf.d/ssl.conf
and add
SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca.crt
In /etc/http/conf.d/ssl.conf create a location
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 2
b. Creating the client cert
On the clients PC create a key and cert req (can actually be done on the CA server as well)
openssl genrsa -des3 1024 > larry.key
openssl req -new -key larry.key -out larry.csr
For the common name use your name
Common Name (eg, your name or your server's hostname) []:Larry Apolonio
Have CA sign cert and return
openssl ca -in larry.csr -out larry.crt
For mozilla and firefox
openssl pkcs12 -export -clcerts -in larry.crt -inkey larry.key -out larry.P12
For IE
openssl x509 -inform PEM -in larry.crt -outform DER -out larry.der