Setting up a certificate authority

Author: Larry Apolonio lapolonio@minihowto.com

Version: 2

Date: November 21, 2007

1. How to be a Certificate Authority


Starting from Scratch
Blow Away /usr/share/ssl leaving only openssl.cnf

Top section of openssl.cnf should contain
[ CA_default ]

dir             = /usr/share/ssl        # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
new_certs_dir   = $dir/newcerts         # default place for new certs.
certificate     = $dir/private/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file

# For the CA policy
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional


cd /usr/share/ssl
mkdir certs crl newcerts private
create a file called serial with the numbers 01
echo "01" > serial
create an empty file called index.txt
touch index.txt
make some of my keys
openssl req -new -x509 -keyout private/cakey.pem -out private/cacert.pem -days 365 -config openssl.cnf
or
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out private/cacert.pem -days 1826 -config openssl.cnf

2. Creating a key and Certificate Request
openssl req -nodes -newkey rsa:1024 -keyout server.key \
-new -out server.csr \
-subj "/C=US/ST=Washington/L=Redmond/O=Some Mega Corp/OU=Security Op/CN=ssl.minihowto.com/emailAddress=lapolonio@minihowto.com"  

protect key
chmod go-rwx server.key

send the file 
/etc/httpd/conf/ssl.csr/server.csr
to CA

CA signs
openssl ca -in server.csr -out server.crt

and sends server.crt back

3. How to Process a certificate request
openssl ca -in server.csr -out server.crt

4. How to Make the importable certificate authority
openssl x509 -in cacert.pem -outform DER -out cert.der
now all one has to do is go to http://www.yourweb.com/cert.der

Convert between der and pem format
openssl x509 -inform der -in cert.der -out cert.pem

5. Revoke a certificate
Look for the certificate you want to revoke in 
/usr/share/ssl/index.txt

Should be a index number associated with the cert you want to revoke.  
Look under newcerts and open up and verify that the *.pem file 
of the cert you want to revoke is correct.

Now you can revoke the cert.  For example if the cert is 08.pem then run the following to 
invalidate the cert

openssl ca -revoke 08.pem

Generate the CRL file to hand out
openssl ca -crldays 365 -gencrl -out crl.pem

crl.pem will be valid for 365 days
default is 30

6. Renewing A certificate
First revoke the old cert. Then sign the requesters original request or have the requester
generate a new request.

7. Renewing the CA (Certificate Authority)
openssl req -new -x509 -key private/cakey.pem \
-keyout private/cakey_new.pem \
-in cacert.pem -out cacert_new.pem -days 1460 

8. Using client certificates
a. For the web server
In section 4 we created an importable certificate.  I similar PEM version needs to be created
openssl x509 -in /usr/share/ssl/private/cacert.pem -outform PEM -out /var/www/html/ca.crt
or you can convert the existing one
openssl x509 -inform DER -in cert.der -outform PEM -out ca.crt
On the webserver place the file in /etc/httpd/conf/ssl.crt/ca.crt
vi /etc/httpd/conf.d/ssl.conf
and add 
SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca.crt
In /etc/http/conf.d/ssl.conf create a location
       SSLRequireSSL
       SSLVerifyClient require
       SSLVerifyDepth 2

b. Creating the client cert
On the clients PC create a key and cert req (can actually be done on the CA server as well)
openssl genrsa -des3 1024 > larry.key
openssl req -new -key larry.key -out larry.csr
For the common name use your name
Common Name (eg, your name or your server's hostname) []:Larry Apolonio
Have CA sign cert and return
openssl ca -in larry.csr -out larry.crt

For mozilla and firefox
openssl pkcs12 -export -clcerts -in larry.crt -inkey larry.key -out larry.P12

For IE
openssl x509 -inform PEM -in larry.crt -outform DER -out larry.der