OpenSSL comes with some scripts that you can use to create certificates but this article will show you how you can perform these functions so that you can modify the scripts to suit your own needs. This article is based on a UNIX system but will work on Windows as well.
Procedure 2.1. Certificate Authority
Creating the Necessary Directories
First of all create a directory tree where all certificates and working files will be kept. The usual default directory is /etc/pki/tls . So, as root, create our own directories so they will not interfere with normal system operation:
# mkdir -p /etc/pki/CA/{conf,private,public,requests,certs,crl} # chmod 755 /etc/pki/CA/{conf,public,requests,certs,crl} # chmod 400 /etc/pki/CA/private # cd /etc/pki/CA # echo “01” > conf/serial # touch conf/index
Initial OpenSSL configuration
We need to create the default OpenSSL configuration file (openssl.cnf) to our CA/conf directory.
# perl -e ‘printf “ [ req ] default_bits = 2048 default_keyfile = ./private/myPriv.pem default_md = sha1 prompt = no distinguished_name = root_ca_distinguished_name x509_extensions = v3_ca [ root_ca_distinguished_name ] countryName = {country} stateOrProvinceName = {state} localityName = {city} organizationalUnitName = {zone} commonName = {companyname} emailAddress = {email} [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints = CA:true [ ca ] default_ca = CA_default [ CA_default ] dir = . new_certs_dir = ./certs/ database = ./conf/index certificate = ./public/myPub.pem serial = ./conf/serial private_key = ./private/myPriv.pem x509_extensions = usr_cert name_opt = ca_default cert_opt = ca_default default_crl_days = 30 default_days = 1825 default_md = sha1 preserve = no policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = optional organizationName = optional organizationalUnitName = match commonName = supplied emailAddress = optional [ usr_cert ] basicConstraints=CA:FALSE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always nsCaRevocationUrl = {url for crl} [ crl_ext ] authorityKeyIdentifier=keyid:always,issuer:always ‘”; > conf/openssl.cnf
This file does not need to be world readable, so we change its attributes:
# chmod 0600 /etc/pki/CA/conf/openssl.cnf
Create the CA Certificate and Key
Now that all initial directories and configuration files are setup, we need to create a self-signed certificate. This certificate will be used as our CAs certificate. In other words, we will use this to sign other certificate requests.
Change to our CAs directory. As root:
# cd /etc/pki/CA/
And then create your CAs Certificate and Private Key as root:
# openssl req -config conf/openssl.cnf -days 1825 –x509 \ -newkey rsa:1024 -out public/myPub.pem -outform PEM # openssl x509 -in public/myPub.pem -outform DER -out public/myPub.der
This creates a self-signed certificate which is valid for 5 years. You will be prompted for a passphrase for your CAs private key. Be sure that you use a strong passphrase and that you do not forget it. This command will use the default settings from the openssl.cnf file you setup earlier.
Three files are created:
./public/myPub.pem - This is your CAs certificate in Privacy Enhanced Mail (PEM) format and can be publicly available and of course world readable.
./public/myPub.der - This is your CAs certificate in Distinguished Encoding Rules (DER) format and can be publicly available and of course world readable.
./private/myPriv.pem - This is your CAs private key. Although it is protected with a passphrase you should restrict access to it, so that only root can read it:
# chmod 0400 /etc/pki/CA/private/myPriv.pem
Distributing Your Root CA Public Certificate
The easiest way to distribute your key is to put up a web page and link to your public certificate. You will need to serve it using the right mime type. Under apache you can add the following line to your httpd.conf file:
AddType application/x-x509-ca-cert .crt .cert .pem .der
We can now copy our public key to our web site as something like Example-Inc-Root-CA.pem, and direct users to http://www.example.com/Example-Inc-Root-CA.pem in order to download it. Some clients require different formats to import, so we can make life easier for our users by offering our public key in different formats. Some clients require the key in DER format.
Further customization is possible in conf/openssl.cnf, but it is outside the scope of this document. These changes are straight forward if you familiarize yourself with the openssl.cnf structure and read up on OpenSSL .
The certificates we are going to create are general purpose certificates and their usage in not restricted to server authentication only. The private key we will create will not have passphrases. This is so that they can be used to protect services and these services will not need a passphrase to restart. This means that you should set restrictive permissions on the private keys , so that only root or the user under whose privileges a server runs can read these files.