You can use openssl to create a self-signed Certificate or to create a Certificate Authority (CA) or to create Subordinate Certificate Authority as a full CA tree. All you need is the openssl package. The Document on openssl is not complete, but what we need is already documented. For all the commands I use I will refer to the openssl doc.
Openssl Documentation:
http://www.openssl.org/docs/apps/openssl.html
1. Root CA
1.1 Set yout enviroment
# mkdir root_ca # cd root_ca # cp /etc/ssl/openssl.cnf . # vi openssl.cnf |
Customize the configuration file of openssl for your Root CA.
With your favorite editor you can modify the configuration file of openssl, that is openssl.cnf. This file should you found in /etc/ssl/ folder (at least it is there in Ubuntu). I made some modification only in the default configuration file. See below:
# 21.11.2010 / George - commented out the randfile because it will be in the private folder. #RANDFILE = $ENV::HOME/.rnd ... # 21.11.2010 / George - changed the dir directory to local directory dir = . # Where everything is kept |
Tipp: If you modify your config file, it is usefull to put the date of the modification your name and a short comment what and why you did.
# mkdir certs # mkdir crl # mkdir newcerts # mkdir private # touch serial # echo 0100 > serial # touch index.txt # touch crlnumber # echo 0100 > crlnumber |
1.2 Generate random numbers
# openssl rand -out ./private/.rand 1024 |
1.3 Generate your RSA keypair with your password (keysize will be 2048 bit)
# openssl genrsa -out ./private/cakey.pem -des3 -rand ./private/.rand 2048 1024 semi-random bytes loaded Generating RSA private key, 2048 bit long modulus .............................+++ ..+++ e is 65537 (0x10001) Enter pass phrase for ./private/cakey.pem: root1234 Verifying - Enter pass phrase for ./private/cakey.pem: root1234 |
1.4 Create a self-signed certificate
# openssl req -x509 -new -key ./private/cakey.pem -out cacert.pem -config openssl.cnf Enter pass phrase for ./private/cakey.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:HU State or Province Name (full name) [Some-State]:Budapest Locality Name (eg, city) []:Budapest Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company Organizational Unit Name (eg, section) []:Security Common Name (eg, YOUR name) []:rootca Email Address []:info@mycompany.hu |
2. Subordinate CA
2.1 Set yout enviroment
# mkdir sub_ca # cd sub_ca # cp /etc/ssl/openssl.cnf . # vi openssl.cnf |
Customize the configuration file of openssl for your Subordinate CA.
# 21.11.2010 / George - commented out the randfile because it will be in the private folder. #RANDFILE = $ENV::HOME/.rnd ... # 21.11.2010 / George - changed the dir directory to local directory dir = . # Where everything is kept |
For this CA we need the following folders and files as well:
# mkdir certs # mkdir crl # mkdir newcerts # mkdir private # touch serial # echo 0100 > serial # touch index.txt # touch crlnumber # echo 0100 > crlnumber |
2.2 Generate random numbers
# openssl rand -out ./private/.rand 1024 |
2.3 Generate your RSA keypair with your password (keysize will be 2048 bit)
# openssl genrsa -out ./private/cakey.pem -des3 -rand ./private/.rand 2048 1024 semi-random bytes loaded Generating RSA private key, 2048 bit long modulus .............................+++ ....+++ e is 65537 (0x10001) Enter pass phrase for ./private/cakey.pem: sub1234 Verifying - Enter pass phrase for ./private/cakey.pem: sub1234 |
2.4 Create a certificate request
# openssl req -new -key ./private/cakey.pem -out subcareq.pem -config openssl.cnf Enter pass phrase for ./private/cakey.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:HU State or Province Name (full name) [Some-State]:Budapest Locality Name (eg, city) []:Budapest Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company Organizational Unit Name (eg, section) []:Security Common Name (eg, YOUR name) []:subca Email Address []:info@mycompany.hu Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: |
3. Sign the subca certificate request with root CA.
The only differency in signing a certificate to be a ca certificate is an extension that is defined with v3_ca. Lets quote from the official dokumentation of openssl to understand it:
“The basicConstraints extension CA flag is used to determine whether the certificate can be used as a CA. If the CA flag is true then it is a CA, if the CA flag is false then it is not a CA. All CAs should have the CA flag set to true.
If the basicConstraints extension is absent then the certificate is considered to be a “possible CA” other extensions are checked according to the intended use of the certificate. A warning is given in this case because the certificate should really not be regarded as a CA: however it is allowed to be a CA to work around some broken software.”
# cd ../root_ca/ # openssl ca -in ../sub_ca/subcareq.pem -extensions v3_ca -config openssl.cnf Using configuration from openssl.cnf Enter pass phrase for ./private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 256 (0x100) Validity Not Before: Nov 21 20:52:41 2010 GMT Not After : Nov 21 20:52:41 2011 GMT Subject: countryName = HU stateOrProvinceName = Budapest organizationName = My Company organizationalUnitName = Security commonName = subca emailAddress = info@mycompany.hu X509v3 extensions: X509v3 Subject Key Identifier: B5:6E:8C:8C:DC:EE:91:31:B2:EA:40:C1:F0:F3:89:F9:04:3F:04:8D X509v3 Authority Key Identifier: keyid:35:F2:79:BA:53:4C:F6:C3:A6:CF:02:A3:2E:9E:CC:B2:A8:81:1D:5E DirName:/C=HU/ST=Budapest/L=Budapest/O=My Company/OU=Security/CN=rootca/emailAddress=info@mycompany.hu serial:AE:5D:58:9B:D0:71:E5:49 X509v3 Basic Constraints: CA:TRUE Certificate is to be certified until Nov 21 20:52:41 2011 GMT (365 days) Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Certificate: Data: Version: 3 (0x2) Serial Number: 256 (0x100) Signature Algorithm: sha1WithRSAEncryption Issuer: C=HU, ST=Budapest, L=Budapest, O=My Company, OU=Security, CN=rootca/emailAddress=info@mycompany.hu Validity Not Before: Nov 21 20:52:41 2010 GMT Not After : Nov 21 20:52:41 2011 GMT Subject: C=HU, ST=Budapest, O=My Company, OU=Security, CN=subca/emailAddress=info@mycompany.hu Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:c0:ea:3b:38:81:8d:b9:4a:21:09:e8:ff:6d:14: e7:bd:85:62:36:a5:2c:09:1a:0a:f4:0e:6d:78:07: 61:96:88:a2:81:d5:e4:a2:3c:97:05:87:14:23:ef: 9c:71:4d:f7:f8:5f:3d:0b:c5:96:76:28:b4:77:fe: 56:2d:f3:29:e8:cc:d9:62:90:5f:bd:af:63:bc:b3: 7e:8a:a1:74:5c:80:50:13:08:14:2b:6d:df:e6:2c: ef:c1:2e:a0:a4:0a:5e:fc:dd:a0:ed:26:d7:7f:d4: fd:91:72:97:55:aa:c6:98:29:cf:c3:d3:d4:3d:f1: 54:d9:e7:d8:e3:5a:4e:7c:b7:ee:35:5f:c5:96:e3: fc:eb:89:96:0b:ec:45:fc:83:d7:88:f0:8e:d0:54: 11:ca:0c:63:1f:75:47:74:44:f2:71:02:93:bb:ed: fe:9e:57:9e:0a:6f:23:f3:53:13:8e:01:85:e0:73: 64:51:9a:e2:dd:71:46:5d:f3:6b:ca:97:39:48:4c: 75:24:aa:84:c6:37:71:d6:98:18:be:a1:bf:e9:e1: 9a:b4:ea:c2:a7:f7:e0:7e:08:45:f7:bd:2d:1c:07: 90:31:4c:2a:29:f2:9b:6d:95:e1:1b:d0:1f:d0:fc: cd:bc:72:58:11:ae:a7:64:98:60:88:a2:b1:f7:30: c9:1d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: B5:6E:8C:8C:DC:EE:91:31:B2:EA:40:C1:F0:F3:89:F9:04:3F:04:8D X509v3 Authority Key Identifier: keyid:35:F2:79:BA:53:4C:F6:C3:A6:CF:02:A3:2E:9E:CC:B2:A8:81:1D:5E DirName:/C=HU/ST=Budapest/L=Budapest/O=My Company/OU=Security/CN=rootca/emailAddress=info@mycompany.hu serial:AE:5D:58:9B:D0:71:E5:49 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption b8:13:9c:7c:83:c7:be:f8:d3:74:b3:82:b7:d3:92:0f:4e:cb: b2:cb:14:94:f9:01:26:de:5c:ad:c4:16:7f:e0:35:5a:70:cd: d1:98:11:93:84:ba:55:4a:78:30:49:2b:24:52:9c:a0:51:26: 33:bc:8b:c2:bc:8a:c2:20:0a:6c:eb:69:13:be:ef:df:96:53: ac:7b:39:c1:44:c3:73:f4:4b:72:e1:5d:6d:3f:fa:f9:6d:c4: d4:29:56:4c:e9:e8:dc:5a:7d:a4:31:16:f4:0d:da:ab:c1:76: 4d:e8:4b:36:b6:c7:4e:fc:f6:f8:cc:73:2c:b1:0e:e0:e0:36: a0:e6:9b:2a:bc:1d:73:b4:30:3d:96:b8:95:be:e7:2a:9a:6c: f2:b0:08:7e:eb:a1:a4:4d:cd:d0:c2:c6:03:dc:ad:f7:dc:92: e6:91:a5:0c:70:eb:4b:8b:13:c7:ad:e8:c2:86:96:4b:94:f2: c4:b3:ce:87:c8:32:df:16:94:85:27:be:ee:4f:bf:b5:00:64: 01:0d:d0:e5:90:44:18:47:86:98:f8:4d:2a:68:88:b2:f0:27: 3c:5b:26:40:0d:18:e9:18:7b:e9:fb:ca:ca:1d:ce:b5:c3:fb: 5d:52:81:df:05:08:0f:ec:45:95:04:e9:c2:1d:e2:2c:4a:90: a9:e8:54:49 -----BEGIN CERTIFICATE----- MII…here should be the certificate request… -----END CERTIFICATE----- Data Base Updated |
and just copy the subordinate CA certificate to the sub_ca directory
# cd ../subca/ # cp ../root_ca/newcerts/0100.pem cacert.pem |
You can now create a Certificate for clients, servers from subordinate CA or root CA as you need.
As an example, with the following command you can sign a client certificate.
# openssl ca -in client_req.pem -out client_cert.pem -config openssl.cnf |
And on the newly signed certificates – you generate later – you can see that they are not CAs:
# openssl x509 -in server_cert.pem -noout -text
...
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
...
|
Some conversion commands, if the certificate should be somewhere imported:
Convert a DER file (.crt .cer .der) to PEM
| # openssl x509 -inform der -in certificate.cer -out certificate.pem |
Convert a PEM file to DER
| # openssl x509 -outform der -in certificate.pem -out certificate.der |
Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
| # openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes |
You can add -nocerts to only output the private key or add -nokeys to only output the certificates.
Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
| # openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt |
..
itsecworks 
Todd Grayson (@CloudTodd)
January 28, 2015
So there is other discussion (on stackoverflow for example) that discusses the need to define the proper extensions in the openssl.cnf for your CA certificate generation vs your server certificate generation activity.
Its a good read to supplement this discussion (thanks for providing this btw). The article on stackoverflow is titled “How do you sign OpenSSL Certificate Signing Requests with your Certification Authority” its mostly around the ca_extensions settings.
Do you have an example of what your openssl.cnf was used for generating the CA certs you used?
itsecworks
January 28, 2015
Hi,
It was the most basic untouched cnf file. What I have changed is what I wrote on the Post. You can find it in the source code or if you installed it just look for it with find command.
lordmulder
August 29, 2016
Thanks for the guide! But in “and just copy the subordinate CA certificate to the sub_ca directory” there is a dangerous typo: The “cd” command fails, because you wrote “subca” instead of “sub_ca”, so the subsequent “cp” command overwrites the root_ca PEM file.
itsecworks
August 29, 2016
Hmm, nobody realised that before. Thanks anyway!