stocksy.co.uk
"the site for those who crave disappointment"

Sponsored Links

Creating a Certificate Authority (CA), Issuing and Renewing Certificates

27th Oct 2007, 11:53:58

By James Stocks

How to create a certificate authority to self-sign certificates.

Updated 25th January 2009

Admission: Much of this information has been plagiarised from http://www.eclectica.ca/howto/ssl-cert-howto.php because I can never find it in my bookmarks and have to refer to if everytime I need to issue a certificate.

"Portions of this document researched and written by Marcus Redivo. Permission to use this document for any purpose is hereby granted, providing that the copyright information and this disclaimer is retained. Author accepts no responsibility for any consequences arising from the use of this information. Copyright © 1996, 2007 Marcus Redivo. All rights reserved."

Create the CA itself

You only have to do this once.

# cd /etc/ssl/certs
# mkdir CA
# cd CA
# mkdir newcerts private
# echo '01' >serial
# touch index.txt

Create a configuration file for OpenSSL:

# vi openssl.cnf
# OpenSSL configuration file.

# Establish working directory. 
dir = . 

[ req ]
default_bits            = 4096                  # Size of keys
default_keyfile         = key.pem               # name of generated keys
default_md              = md5                   # message digest algorithm
string_mask             = nombstr               # permitted characters
distinguished_name      = req_distinguished_name

[ req_distinguished_name ]
# Variable name           Prompt string
#----------------------   ----------------------------------
0.organizationName      = Organization Name (company)
organizationalUnitName  = Organizational Unit Name (department, division)
emailAddress            = Email Address
emailAddress_max        = 40
localityName            = Locality Name (city, district)
stateOrProvinceName     = State or Province Name (full name)
countryName             = Country Name (2 letter code)
countryName_min         = 2
countryName_max         = 2
commonName              = Common Name (hostname, IP, or your name)
commonName_max          = 64


##############################################################################
# CHANGE THESE FOR YOUR OWN REQUIREMENTS, DON'T USE TOASTPUTER, STAFFORD ETC!!
#

# Default values for the above, for consistency and less typing.
# Variable name                   Value
#------------------------------   ------------------------------
0.organizationName_default      = Toastputer
localityName_default            = Stafford
stateOrProvinceName_default     = Staffordshire
countryName_default             = UK
emailAddress_default             = invalid.stocksy@toastputer.net

#
# END CHANGES
##############################################################################

[ v3_ca ]
basicConstraints        = CA:TRUE
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer:always

[ v3_req ] 
basicConstraints        = CA:FALSE
subjectKeyIdentifier    = hash
distinguished_name      = req_distinguished_name 
req_extensions          = v3_req

[ ca ]
default_ca              = CA_default

[ CA_default ]
serial                  = $dir/serial
database                = $dir/index.txt
new_certs_dir           = $dir/newcerts
certificate             = $dir/cacert.pem
private_key             = $dir/private/cakey.pem
default_days            = 365
default_md              = md5
preserve                = no
email_in_dn             = no
nameopt                 = default_ca
certopt                 = default_ca
policy                  = policy_match

[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

Create the CA certificate - 7300 days is 20 years, should be ample. Do not forget the password that it prompts you for. Use a strong password as the security of all your certs depends on it!

# openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 7300 -config ./openssl.cnf

Create and sign certificates for your applications.

# openssl req -new -nodes -out mx.toastputer.net-req.pem -config ./openssl.cnf
# openssl ca -out mx.toastputer.net-cert.pem -config ./openssl.cnf -infiles mx.toastputer.net-req.pem
# mv key.pem mx.toastputer.net-key.pem

Important: Make sure that the CN (common name) matches the FQDN (eg mx.toastputer.net) for the server you are installing the certificate on!

Some programs (like Postfix) like a separate cert.pem and key.pem file, in which case you can just copy the *-key.pem and *-cert.pem files to somewhere that the application can read them.

Other programs (like Apache) want the key and the certificate smooshed together. Smoosh away:

# cat mx.toastputer.net-key.pem mx.toastputer.net-cert.pem > mx.toastputer.net-key-cert.pem

Now copy the *-cert-key.pem somewhere and tell the program to use it.

Renewing certificates

Your certificates will expire one year after creation (if you specified -days 365 above). To renew them, you must revoke the old one and recreate the signing request:

# cd /etc/ssl/CA
# grep 'CN=mx\.toastputer\.net' index.txt
V       086056054153Z           0A      unknown /C=UK/ST=Staffordshire/O=Toastputer/CN=mx.toastputer.net

The serial number is '0A', so we revoke newcerts/0A.pem:

# openssl ca -revoke newcerts/0A.pem -config ./openssl.cnf

Delete the old certs, but retain the old mx.toastputer.net-key.pem and mx.toastputer.net-req.pem then create the new cert:

# rm mx.toastputer.net-cert.pem mx.toastputer.net-cert-key.pem
# openssl ca -out mx.toastputer.net-cert.pem -config ./openssl.cnf -infiles mx.toastputer.net-req.pem

Smoosh the key and the cert together, but only if the program using them requires it:

# cat mx.toastputer.net-key.pem mx.toastputer.net-cert.pem > mx.toastputer.net-key-cert.pem

New Comments

Some Rights Reserved