OpenSSL CA
From Notes
This article will outline the steps required to create a signing authority, make certificate requests, and sign those requests utilizing openssl. This document is written with Apache's httpd mod_ssl in mind, but the basic concepts here can be extended to most any client/server service.
Contents |
Creating the CA
This article will outline suggested steps steps to setup a CA utilizing openssl's CA script. In recent releases, the CA script has been ported from perl (CA.pl) to sh (CA). This article will focus on the sh based CA script; however, the concepts are portable to the perl based script.
Prep
The sh based CA script is located at /etc/pki/tls/misc/CA. You should edit this file, as directed below, to suit your needs.
Changes to the CA script
## Increase the number of valid days to 10 years #CADAYS="-days 1095" # 3 years CADAYS="-days 3650" # 10 years
Changes to the openssl config
A few changes also need to be made to the openssl config file: /etc/pki/tls/openssl.cnf
## Under the [ CA_default ] section: ## Set default days to 3 years #default_days = 365 # how long to certify for default_days = 1059 # how long to certify for ## Unremark the "copy_extensions" var if you need ## x509 extensions support, such as subjectAltName # Extension copying option: use with caution. copy_extensions = copy [ req ] ## set default bits to 2048 default_bits = 2048 [ req_distinguished_name ] ## Pre-set these values for convenience countryName_default = US stateOrProvinceName_default = AnyTown localityName_default = MyState 0.organizationName_default = MyOrg organizationalUnitName_default = MySubOrg
Create the CA
Use the CA script to create the Certificate Authority. A public and private key pair will be created in PEM format. The resulting root certificate will be written to /etc/pki/CA/cacert.pem. THe resulting private key will be written to /etc/pki/CA/private/cakey.pem. You will first need to create a pass phrase, which will be use to sign subsequent certificates. Keep it in a safe place!
Generate a pass phrase
- Generate the pass phrase. The pass phrase will be stored in the file ~/CAPassPhrase.txt
[root@mybox tls]# (ps axf ; w ; date) | sha1sum | awk '{print $1}' > ~/CAPassPhrase.txt
[root@mybox tls]# chmod 400 ~/CAPassPhrase.txt
Running the CA Script
- Run the CA script to create the CA
[root@mybox tls]# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create) [enter]
Making CA certificate ...
Generating a 2048 bit RSA private key
..................................................+++
.................................................+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase: [text from ~/CAPassPhrase.txt]
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [MyState]:
Locality Name (eg, city) [AnyTown]:
Organization Name (eg, company) [MyOrg]:
Organizational Unit Name (eg, section) []:MySubOrg
Common Name (eg, your name or your server's hostname) []:CA ROOT
Email Address []:.
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem: [text from ~/CAPassPhrase.txt]
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
e0:b0:ba:3b:0f:2b:e0:7f
Validity
Not Before: Mar 18 16:06:45 2011 GMT
Not After : Mar 15 16:06:45 2021 GMT
Subject:
countryName = US
stateOrProvinceName = MyState
organizationName = MyOrg
organizationalUnitName = MySubOrg
commonName = CA ROOT
X509v3 extensions:
X509v3 Subject Key Identifier:
FD:80:40:CA:CC:E7:57:6E:A5:B9:C7:40:E5:FE:2C:D1:F8:21:A4:E3
X509v3 Authority Key Identifier:
keyid:FD:80:40:CA:CC:E7:57:6E:A5:B9:C7:40:E5:FE:2C:D1:F8:21:A4:E3
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Mar 15 16:06:45 2021 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
[root@mybox tls]#
Results
The following files and directories should be in place
/etc/pki/CA/cacert.pem # public root certificate /etc/pki/CA/serial # serial number tracker /etc/pki/CA/private/cakey.pem # private root cert key
Certificate Signing Request (CSR)
This step will create a CSR- a request for a CA to create a certificate. These steps should be run on each server which will require a signed certificate; this includes the CA, if services running on the CA require a certificate (think: self-signed).
Changes to the openssl config
Few changes to /etc/pki/tls/openssl.cnf are needed, however, if you require a certificate which includes the subjectAltName field, you will need to make a few specific changes. Otherwise, all other noted changes are for convenience only.
## For subjectAltName functionality: ## In the [ v3_req ] section: ## Be sure to include the FQDN of all servers involved, including the FQDNs of any VIPs subjectAltName = "DNS:vip.example.int,DNS:vip2.example.int,DNS:csrserver.cluster.int" [ req_distinguished_name ] ## Pre-set these values for convenience countryName_default = US stateOrProvinceName_default = MyState localityName_default = AnyTown 0.organizationName_default = MyOrg organizationalUnitName_default = MySubOrg
Generate the CSR
If you require the subjectAltName field (and you included the above required changes to /etc/pki/tls/openssl.cnf), be sure to add the param -reqexts "v3_req". If you do not require the subjectAltName field, you may safely omit this param.
- When prompted for the Common Name, be sure to enter your service's FQDN.
- Do not enter a challenge password. When prompted, just press [enter].
- No need to enter An optional company name
[root@csrserver ~]# mkdir certs [root@csrserver ~]# cd certs/ [root@csrserver certs]# hostname -f csrserver.example.int ### You will need your server's FQDN [root@csrserver certs]# openssl req -nodes -new -newkey rsa:2048 -keyout `hostname -f`-KEY.pem -out `hostname -f`-CSR.pem -reqexts "v3_req" Generating a 2048 bit RSA private key .......................+++ .........................+++ writing new private key to 'csrserver.example.int-KEY.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) []:MyState Locality Name (eg, city) [AnyTown]: Organization Name (eg, company) [MyOrg]: Organizational Unit Name (eg, section) [MySubOrg]: Common Name (eg, your name or your server's hostname) []:csrserver.example.int Email Address []:. Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@ldap-mm-02 certs]# ls csrserver.example.int-CSR.pem csrserver.example.int-KEY.pem
Verify the CSR before sending to the CA
This step is very important. DO NOT SKIP IT. When working within the realm of self-signed certificates and/or self-managed CAs, this step is not as critical since regenerating and submitting another CSR does not incur an additional cost- just extra time. If you intend to send this CSR to a commercial CA you must ensure accuracy. Most commercial CAs will charge full price for a new certificate if you messed up the CSR.
[root@ldap-mm-02 certs]# openssl req -in `hostname -f`-CSR.pem -noout -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=MyState, L=AnyTown, O=MyOrg, OU=MySubOrg, CN=csrserver.example.int
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ab:7f:13:1b:91:5a:47:10:c8:6a:56:7b:44:6c:
f0:f2:cf:5d:1b:eb:e8:85:7e:e8:be:2b:d0:ee:7d:
86:93:6f:5d:e7:55:13:e4:e3:a3:a3:f6:9b:f3:bf:
1b:22:37:de:2f:18:a3:66:7a:c6:b8:2c:e2:b7:b5:
4d:db:c6:15:0f:4a:15:86:ed:b4:7e:8f:d0:a6:7f:
c2:22:a1:95:aa:bd:b2:40:90:df:4c:71:3e:71:39:
cb:71:0b:02:72:c5:9d:59:3d:cd:38:88:5e:a8:b0:
7d:12:94:29:7d:6f:67:93:45:11:4a:48:d0:62:4d:
a4:dd:50:78:4d:03:33:fc:65:df:d5:b0:ec:de:03:
40:8b:17:2f:03:a0:9b:f5:93:b5:40:08:77:a4:8c:
f3:6d:47:78:94:50:48:ee:93:ce:37:c3:a5:68:1b:
be:1a:cd:75:6b:f1:59:97:4d:c4:d1:f0:2b:8e:39:
13:33:9a:f0:fe:b2:ee:81:3d:b1:2d:98:aa:8d:e9:
0f:4c:1f:02:92:6c:ad:75:9d:1e:50:aa:de:8f:a0:
ee:e8:f0:00:15:80:c3:7c:f2:a5:08:8f:7f:36:ba:
cb:70:a7:bb:48:60:4c:c9:40:c9:75:7e:eb:74:22:
cf:13:13:37:99:8d:d7:3e:ab:9d:21:a1:a7:46:f6:
93:4d
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
DNS:vip.example.int,DNS:vip2.example.int,DNS:csrserver.cluster.int
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Signature Algorithm: sha1WithRSAEncryption
38:76:92:32:16:6c:42:38:f4:46:28:70:79:f3:c5:f7:ec:e9:
c1:a4:f6:17:04:a3:03:34:5b:3a:78:a6:29:f6:65:45:8e:26:
c7:3d:69:3c:1b:e9:22:43:c2:e2:6c:5a:35:a8:93:2d:ec:9f:
83:ce:c1:c9:1e:7f:f1:04:6c:8a:e2:81:d9:73:f6:ec:ef:0f:
4d:7d:7c:69:a8:f1:bc:f2:86:1e:2a:92:22:13:dc:31:52:c9:
e2:10:8b:cd:c0:90:82:d9:b0:cf:7a:eb:a0:d8:f7:a9:63:c8:
e0:bc:90:6b:26:3a:c7:5b:5c:e6:d8:7b:23:29:83:a1:e9:c6:
5c:13:53:2d:fd:ba:be:72:c1:b8:df:d7:57:8b:7d:8d:04:e8:
64:28:40:2a:71:b0:df:e6:de:18:01:67:f7:aa:0b:73:37:22:
a8:15:57:72:a3:03:26:05:34:81:67:8d:a3:7e:7c:39:a4:e7:
98:88:37:97:6a:49:5b:9f:e8:ea:c1:7f:2e:35:c2:21:02:20:
2a:9b:45:ea:dc:f0:ee:ed:b1:b1:6c:9b:91:5f:bb:eb:14:ee:
68:8f:f0:d5:2c:dd:ee:71:3f:f2:51:d2:80:f6:59:cd:85:03:
76:1c:6f:bd:0e:52:d4:1e:05:b6:1c:f8:bb:2d:48:ac:74:67:
76:d2:85:47
Once you are certain all fields are accurate, send the CSR to the CA. You will undoubtedly require the key file when configuring your service to utilize TLS.
Creating and Signing a Certificate
Once the CSR is received from the requester, it must be created, signed, and the resulting certificate sent back. You will need the CA pass phrase!
[root@mybox request-csrservrer.example.int]# HOST="csrservrer.example.int" ; openssl ca -policy policy_anything -in $HOST-CSR.pem -out $HOST-CERT.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
e0:b0:ba:3b:0f:2b:e0:80
Validity
Not Before: Mar 18 16:50:35 2011 GMT
Not After : Feb 9 16:50:35 2014 GMT
Subject:
countryName = US
stateOrProvinceName = MyState
localityName = AnyTown
organizationName = MyOrg
organizationalUnitName = MySubOrg
commonName = csrservrer.example.int
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
BC:2F:84:FB:7A:26:C4:0D:A5:D1:57:58:E4:74:86:F8:24:B9:41:8E
X509v3 Authority Key Identifier:
keyid:FD:80:40:CA:CC:E7:57:6E:A5:B9:C7:40:E5:FE:2C:D1:F8:21:A4:E3
Certificate is to be certified until Feb 9 16:50:35 2014 GMT (1059 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@mybox csrservrer.example.int]# ls
csrservrer.example.int-CERT.pem csrservrer.example.int-CSR.pem
Verify the file. Be sure any requested x509 extensions are included (like subjectAltName)
[root@mybox csrservrer.example.int]# openssl x509 -noout -text -in csrservrer.example.int-CERT.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e0:b0:ba:3b:0f:2b:e0:81
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=AnyState, O=MyOrg, OU=MySubOrg, CN=CA ROOT
Validity
Not Before: Mar 18 17:02:08 2011 GMT
Not After : Feb 9 17:02:08 2014 GMT
Subject: C=US, ST=MyState, L=AnyTown, O=MyOrg, OU=MySubOrg, CN=csrservrer.example.int
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ab:7b:3c:7c:d2:e9:2a:37:63:fc:a9:22:ec:7a:
4e:f1:1f:e6:48:73:4a:14:16:9f:b9:7f:2a:c5:52:
87:94:0c:fa:78:8f:8e:c1:77:13:65:76:13:12:22:
aa:8c:de:15:e3:72:a5:8a:f0:4f:ff:95:7b:ca:b4:
4a:2a:fb:e9:9d:c9:5c:9f:42:64:0a:18:32:d8:b9:
56:a5:5b:40:fc:01:af:6d:13:33:64:66:b9:bd:90:
50:11:d4:28:e7:58:70:10:25:60:78:f2:ad:b3:ca:
72:8c:a0:15:a0:69:80:b0:48:71:c3:c7:d7:e4:26:
07:7c:0a:e7:f9:2e:11:c6:fa:82:5a:9f:df:58:18:
77:04:d8:18:1c:64:f5:81:a3:e4:0b:9c:89:94:d6:
a6:f6:d0:50:79:95:7f:9e:9d:a8:5b:e8:7d:dd:bd:
f9:26:46:cb:a0:bd:d9:f8:48:b8:c7:4a:8c:cb:c0:
7b:52:10:31:c1:0e:e7:cd:61:37:9f:3a:8e:e9:79:
d0:e6:35:9b:0c:e4:6c:85:1b:86:60:5e:81:64:88:
99:4a:7e:0c:96:d6:0b:41:7e:4f:aa:8b:65:77:93:
e0:25:b9:6f:77:71:38:08:17:64:c4:aa:1f:45:9d:
41:97:79:0b:10:cc:b9:e2:44:82:bb:54:f9:49:a4:
66:81
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F9:DA:A8:30:CE:12:EB:37:93:87:08:15:48:C0:34:84:E8:1F:34:14
X509v3 Authority Key Identifier:
keyid:FD:80:40:CA:CC:E7:57:6E:A5:B9:C7:40:E5:FE:2C:D1:F8:21:A4:E3
X509v3 Subject Alternative Name:
DNS:vip.example.int,DNS:vip2.example.int,DNS:csrserver.cluster.int
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Signature Algorithm: sha1WithRSAEncryption
26:0c:f4:62:6d:fc:82:eb:31:d6:35:72:bf:86:d7:9d:28:ff:
7f:44:27:02:c5:8f:16:22:d2:9b:ad:7e:3f:8c:6d:9b:43:1a:
c0:d0:57:9b:0a:5e:da:36:a0:c7:a6:1f:44:bb:76:ee:d1:3b:
d8:97:9c:88:95:49:39:1d:87:5d:b0:d7:89:bf:6f:a1:71:f2:
51:2c:e5:57:7e:c3:78:f3:71:fa:8c:9a:81:8f:ab:91:a4:2c:
2c:24:cd:fb:8d:63:a0:ca:ae:ac:4a:9d:d5:4d:29:0b:56:84:
8f:25:03:6a:f9:4d:e5:fc:2d:86:94:74:e3:98:7a:f7:ad:df:
7b:50:d2:d1:c5:e6:2d:a9:35:6a:53:c6:73:a4:45:90:0e:0b:
50:0c:57:d5:e5:ee:4d:5d:01:e0:bd:91:d4:90:29:d3:4b:ed:
1f:83:0b:73:99:ea:47:8d:ab:42:33:6f:bd:e0:57:6e:c6:e2:
46:f4:3f:c5:9e:19:db:34:d2:50:ad:d9:8a:61:f9:42:d3:63:
b9:76:7d:63:a2:12:dd:f8:fe:b2:66:be:6c:31:98:56:24:2e:
d9:8e:42:19:b8:05:33:ff:9c:c8:83:8d:ca:4c:6f:31:b1:66:
db:7a:9c:c3:b2:fc:85:6f:00:e2:8b:0f:2c:0c:c9:b8:3c:80:
53:f2:05:41
Send the resulting certificate file back to the requester.
Revoking a certificate
Sometimes you may need to revoke a certificate. To do this, you will need the original certificate file, which should be located in the /etc/pki/CA/newcerts directory. Locate the file (you will also need your CA pass phrase) and run this command:
[root@mybox newcerts]# openssl ca -revoke etc/pki/CA/newcerts/E0B0BA3B0F2BE080.pem Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem: Revoking Certificate E0B0BA3B0F2BE080. Data Base Updated
