| Paul Bakker | 5121ce5 | 2009-01-03 21:22:43 +0000 | [diff] [blame] | 1 |
|
| 2 |
|
| 3 |
|
| 4 | How to setup your own Certificate Authority
|
| 5 | ===========================================
|
| 6 |
|
| 7 |
|
| 8 | Note: this howto requires the openssl binary, as well as classic
|
| 9 | UNIX tools (cat, touch, echo). If you use Windows, please consider
|
| 10 | installing Cygwin -- see http://cygwin.com/
|
| 11 |
|
| 12 |
|
| 13 | 1. Configure OpenSSL
|
| 14 | --------------------
|
| 15 |
|
| 16 | First of all, create sslconf.txt in the current directory
|
| 17 | (a basic example is provided at the end of this file).
|
| 18 |
|
| 19 | cat > sslconf.txt <<"EOF"
|
| 20 | [paste contents here]
|
| 21 | EOF
|
| 22 |
|
| 23 | Then you need to create the database and a starting serial number:
|
| 24 |
|
| 25 | touch index
|
| 26 | echo "01" > serial
|
| 27 | mkdir newcerts
|
| 28 |
|
| 29 |
|
| 30 | 2. Generate the CA certificate
|
| 31 | ------------------------------
|
| 32 |
|
| 33 | openssl req -config sslconf.txt -days 3653 -x509 -newkey rsa:2048 \
|
| 34 | -set_serial 0 -text -keyout test-ca.key -out test-ca.crt
|
| 35 |
|
| 36 |
|
| 37 | 3. Generate the private keys and certificate requests
|
| 38 | -----------------------------------------------------
|
| 39 |
|
| 40 | openssl genrsa -out server1.key 2048
|
| 41 | openssl genrsa -out server2.key 2048
|
| 42 | openssl genrsa -out client1.key 2048
|
| 43 | openssl genrsa -out client2.key 2048
|
| 44 |
|
| 45 | openssl req -config sslconf.txt -new -key server1.key -out server1.req
|
| 46 | openssl req -config sslconf.txt -new -key server2.key -out server2.req
|
| 47 | openssl req -config sslconf.txt -new -key client1.key -out client1.req
|
| 48 | openssl req -config sslconf.txt -new -key client2.key -out client2.req
|
| 49 |
|
| 50 |
|
| 51 | 4. Issue and sign the certificates
|
| 52 | ----------------------------------
|
| 53 |
|
| 54 | openssl ca -config sslconf.txt -in server1.req -out server1.crt
|
| 55 | openssl ca -config sslconf.txt -in server2.req -out server2.crt
|
| 56 | openssl ca -config sslconf.txt -in client1.req -out client1.crt
|
| 57 | openssl ca -config sslconf.txt -in client2.req -out client2.crt
|
| 58 |
|
| 59 |
|
| 60 | 5. To revoke a certificate and update the CRL
|
| 61 | ---------------------------------------------
|
| 62 |
|
| 63 | openssl ca -config sslconf.txt -revoke server1.crt
|
| 64 | openssl ca -config sslconf.txt -revoke client1.crt
|
| 65 | openssl ca -config sslconf.txt -gencrl -out crl.pem
|
| 66 |
|
| 67 |
|
| 68 | 6. To display a certificate and verify its validity
|
| 69 | ---------------------------------------------------
|
| 70 |
|
| 71 | openssl x509 -in server2.crt -text -noout
|
| 72 | cat test-ca.crt crl.pem > ca_crl.pem
|
| 73 | openssl verify -CAfile ca_crl.pem -crl_check server2.crt
|
| 74 | rm ca_crl.pem
|
| 75 |
|
| 76 |
|
| 77 | 7. To export a certificate into a .pfx file
|
| 78 | -------------------------------------------
|
| 79 |
|
| 80 | openssl pkcs12 -export -in client2.crt -inkey client2.key \
|
| 81 | -out client2.pfx
|
| 82 |
|
| 83 |
|
| 84 | ##================================================================
|
| 85 | ##============== Example OpenSSL configuration file ==============
|
| 86 | ##================================================================
|
| 87 |
|
| 88 | # References:
|
| 89 | #
|
| 90 | # /etc/ssl/openssl.conf
|
| 91 | # http://www.openssl.org/docs/apps/config.html
|
| 92 | # http://www.openssl.org/docs/apps/x509v3_config.html
|
| 93 |
|
| 94 | [ ca ]
|
| 95 | default_ca = my_ca
|
| 96 |
|
| 97 | [ my_ca ]
|
| 98 | certificate = test-ca.crt
|
| 99 | private_key = test-ca.key
|
| 100 | database = index
|
| 101 | serial = serial
|
| 102 |
|
| 103 | new_certs_dir = newcerts
|
| 104 | default_crl_days = 60
|
| 105 | default_days = 730
|
| 106 | default_md = sha1
|
| 107 | policy = my_policy
|
| 108 | x509_extensions = v3_usr
|
| 109 |
|
| 110 | [ my_policy ]
|
| 111 | countryName = optional
|
| 112 | stateOrProvinceName = optional
|
| 113 | organizationName = match
|
| 114 | organizationalUnitName = optional
|
| 115 | commonName = supplied
|
| 116 | emailAddress = optional
|
| 117 |
|
| 118 | [ req ]
|
| 119 | distinguished_name = my_req_dn
|
| 120 | x509_extensions = v3_ca
|
| 121 |
|
| 122 | [ my_req_dn ]
|
| 123 | countryName = Country Name..............
|
| 124 | countryName_min = 2
|
| 125 | countryName_max = 2
|
| 126 | stateOrProvinceName = State or Province Name....
|
| 127 | localityName = Locality Name.............
|
| 128 | 0.organizationName = Organization Name.........
|
| 129 | organizationalUnitName = Org. Unit Name............
|
| 130 | commonName = Common Name (required)....
|
| 131 | commonName_max = 64
|
| 132 | emailAddress = Email Address.............
|
| 133 | emailAddress_max = 64
|
| 134 |
|
| 135 | [ v3_ca ]
|
| 136 | basicConstraints = CA:TRUE
|
| 137 | subjectKeyIdentifier = hash
|
| 138 | authorityKeyIdentifier = keyid:always,issuer:always
|
| 139 |
|
| 140 | [ v3_usr ]
|
| 141 | basicConstraints = CA:FALSE
|
| 142 | subjectKeyIdentifier = hash
|
| 143 | authorityKeyIdentifier = keyid,issuer
|
| 144 |
|