First Steps

OpenSSL comes with some scripts that you can use to create certificates but this article will show you how you can perform these functions so that you can modify the scripts to suit your own needs. This article is based on a UNIX system but will work on Windows as well.

Procedure 2.1. Certificate Authority

  1. Creating the Necessary Directories

    First of all create a directory tree where all certificates and working files will be kept. The usual default directory is /etc/pki/tls . So, as root, create our own directories so they will not interfere with normal system operation:

    # mkdir -p /etc/pki/CA/{conf,private,public,requests,certs,crl}
    # chmod 755 /etc/pki/CA/{conf,public,requests,certs,crl}
    # chmod 400 /etc/pki/CA/private
    # cd /etc/pki/CA
    # echo “01” > conf/serial
    # touch conf/index
                
  2. Initial OpenSSL configuration

    We need to create the default OpenSSL configuration file (openssl.cnf) to our CA/conf directory.

    # perl -e ‘printf “
    [ req ]
    default_bits            = 2048
    default_keyfile         = ./private/myPriv.pem
    default_md              = sha1
    prompt                  = no
    distinguished_name      = root_ca_distinguished_name
    x509_extensions = v3_ca
    [ root_ca_distinguished_name ]
    countryName             = {country}
    stateOrProvinceName     = {state}
    localityName            = {city}
    organizationalUnitName  = {zone}
    commonName              = {companyname}
    emailAddress            = {email}
                
    [ v3_ca ]
    subjectKeyIdentifier=hash
    authorityKeyIdentifier=keyid:always,issuer:always
    basicConstraints = CA:true
    
    [ ca ]
    default_ca              = CA_default
    
    [ CA_default ]
    dir                     = .
    new_certs_dir           = ./certs/
    database                = ./conf/index
    certificate             = ./public/myPub.pem
    serial                  = ./conf/serial
    private_key             = ./private/myPriv.pem
    x509_extensions         = usr_cert
    name_opt                = ca_default
    cert_opt                = ca_default
    default_crl_days        = 30
    default_days            = 1825
    default_md              = sha1
    preserve                = no
    policy                  = policy_match
    
    [ policy_match ]
    countryName             = match
    stateOrProvinceName     = optional
    organizationName        = optional
    organizationalUnitName  = match
    commonName              = supplied
    emailAddress            = optional
    
    [ usr_cert ]
    basicConstraints=CA:FALSE
    subjectKeyIdentifier=hash
    authorityKeyIdentifier=keyid,issuer:always
    nsCaRevocationUrl     = {url for crl}
    
    [ crl_ext ]
    authorityKeyIdentifier=keyid:always,issuer:always
    ‘”; > conf/openssl.cnf
                

    This file does not need to be world readable, so we change its attributes:

    # chmod 0600 /etc/pki/CA/conf/openssl.cnf
                
  3. Create the CA Certificate and Key

    Now that all initial directories and configuration files are setup, we need to create a self-signed certificate. This certificate will be used as our CAs certificate. In other words, we will use this to sign other certificate requests.

    Change to our CAs directory. As root:

    # cd /etc/pki/CA/
                    

    And then create your CAs Certificate and Private Key as root:

    # openssl req -config conf/openssl.cnf -days 1825 –x509 \
            -newkey rsa:1024 -out public/myPub.pem -outform PEM
    # openssl x509 -in public/myPub.pem -outform DER -out public/myPub.der
                    

    This creates a self-signed certificate which is valid for 5 years. You will be prompted for a passphrase for your CAs private key. Be sure that you use a strong passphrase and that you do not forget it. This command will use the default settings from the openssl.cnf file you setup earlier.

    Three files are created:

    • ./public/myPub.pem - This is your CAs certificate in Privacy Enhanced Mail (PEM) format and can be publicly available and of course world readable.

    • ./public/myPub.der - This is your CAs certificate in Distinguished Encoding Rules (DER) format and can be publicly available and of course world readable.

    • ./private/myPriv.pem - This is your CAs private key. Although it is protected with a passphrase you should restrict access to it, so that only root can read it:

      # chmod 0400 /etc/pki/CA/private/myPriv.pem
                              
  4. Distributing Your Root CA Public Certificate

    The easiest way to distribute your key is to put up a web page and link to your public certificate. You will need to serve it using the right mime type. Under apache you can add the following line to your httpd.conf file:

    AddType application/x-x509-ca-cert .crt .cert .pem .der
                    
                    

    We can now copy our public key to our web site as something like Example-Inc-Root-CA.pem, and direct users to http://www.example.com/Example-Inc-Root-CA.pem in order to download it. Some clients require different formats to import, so we can make life easier for our users by offering our public key in different formats. Some clients require the key in DER format.

Further customization is possible in conf/openssl.cnf, but it is outside the scope of this document. These changes are straight forward if you familiarize yourself with the openssl.cnf structure and read up on OpenSSL .

The certificates we are going to create are general purpose certificates and their usage in not restricted to server authentication only. The private key we will create will not have passphrases. This is so that they can be used to protect services and these services will not need a passphrase to restart. This means that you should set restrictive permissions on the private keys , so that only root or the user under whose privileges a server runs can read these files.