-
Notifications
You must be signed in to change notification settings - Fork 8
Setting up the CA with OpenSSL
deiu edited this page Oct 10, 2012
·
3 revisions
I use CA.pl, a Perl program bundled with OpenSSL, and a modified openssl.cnf file. In case you need these two files, you can get them here: CA.pl | openssl.cnf.
The following are the steps to create a CA:
Choose a directory to do your CA work. All commands are executed within this directory. Let's call the directory myprofileCA.
Copy CA.pl and openssl.cnf into myprofileCA.
Create a new CA like this:
./CA.pl -newca
A certificate filename (or enter to create) <enter> Making CA certificate ... Using configuration from openssl.cnf Generating a 1024 bit RSA private key ............++++++ ......................++++++ writing new private key to './myprofileCA/private/cakey.pem' Enter PEM pass phrase: <secret passphrase here> Verifying password - Enter PEM pass phrase: <secret passphrase again> ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:FR State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []:.. Organization Name (eg, company) [Internet Widgits Pty Ltd]:myprofileCA Organizational Unit Name (eg, section) []:. Common Name (eg, YOUR name) []:myprofileCA Certificate Master Email Address []:[email protected]
This creates a new CA in the directory myprofileCA. The CA's self-signed certificate is in myprofileCA/cacert.pem and its RSA key pair is in myprofileCA/private/cakey.pem.
myprofileCA/private/cakey.pem looks like this:
cat myprofileCA/private/cakey.pem
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,19973A9DBBB601BA
eOq9WFScNiI4/UWEUaSnGTKpJv2JYuMD3HwQox2Q3Cd4zGqVjJ6gF3exa5126cKf X/bMVnwbPpuFZPiAIvaLyCjT6pYeXTBbSzs7/GQnvEOv+nYnDUFWi0Qm92qLk0uy pFi/M1aWheN3vir2ZlAw+DW0bOOZhj8tC7Co7lMYb0YE271b6/YRPZCwQ3GXAHUJ +aMYxlUDrK45aCUa/1CZDzTgk7h9cDgx2QJSIvYMYytCfI3zsuZMJS8/4OXLL0bI lKmAc1dwB3DqGJt5XK4WJesiNfdxeCNEgAcYtEAgYZTPIApU+kTgTCIxJl2nMW7j ax+Q1z7g+4MpgG20WD633D4z4dTlDdz+dnLi0rvuvxiwt+dUhrqiML1tyi+Z6EBH jU4/cLBWev3rYfrlp4x8J9mDte0YKOk3t0wQOHqRetTsIfdtjnFp/Hu3qDmTCWjD z/g7PPoO/bg/B877J9WBPbL/1hXXFYo88M+2aGlPOgDcFdiOqbLb2DCscohMbbVr A4mgiy2kwWfIE73qiyV7yyG8FlRvr1iib+jbT3LTGf743utYAAs7HNGuOUObhoyt jYvBD7ACn35P5YX7KTqvqErwdijxYCaNBCnvmRtmYSaNw9Kv1UJTxc5Vx7YLwIPk E9KyBgKI7vPOjWBZ27+zOvNycmv1ciNtpALAw4bWtXnhCDVTHaVDy34OkheMzNCg 2cjcBFzOkMIjcI03KbTQXOFIQGlsTWXGzkNf/zBQ+KksT1MCj+zBXSCvlDASMckg kef21pGgUqPF14gKGfWX3sV4bjc1vbrRwq6zlG3nMuYqR5MtJJY9eQ== -----END RSA PRIVATE KEY-----
Next, generate a certificate request.
./CA.pl -newreq
Using configuration from openssl.cnf Generating a 1024 bit RSA private key ..........++++++ ..............++++++ writing new private key to 'newreq.pem' Enter PEM pass phrase: <another secret passphrase here> Verifying password - Enter PEM pass phrase: <another secret passphrase again> ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:FR State or Province Name (full name) [Some-State]:.. Locality Name (eg, city) []:. Organization Name (eg, company) [Internet Widgits Pty Ltd]:Crypto Organizational Unit Name (eg, section) []:. Common Name (eg, YOUR name) []:localhost Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:<enter> An optional company name []:<enter> Request (and private key) is in newreq.pem
The certificate request and private key in newreq.pem looks like this:
cat newreq.pem
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,41B2874DF3D02DD4 mg611EoVkLEooSTv+qTM0Ddmm/M1jE/Jy5RD/sc3LSMhuGu9xc26OgsTJmkQuIAh J/B4lAw8G59VTG6DykeEtrG0rUBx4bggc7PKbFuiN423YjJODWcHvVgnPOzXMQt+ lY4tPl5+217MRHyx2NsWGrpkQNdu3GeSPOVMl3jeQiaXupONbwQ7rj42+X/VtAJP W4D1NNwu8aGCPyShsEXHc/fI1WDpphYWke97pOjIZVQESFZOPty5HjIYZux4U+td W81xODtq2ecJXc8fn2Wpa9y5VD1LT7oJksOuL1+Z04OVaeUe4x0swM17HlBm2kVt fe/C/L6kN27MwZhE331VjtTjSGl4/gknqQDbLOtqT06f3OISsDJETm2itllyhgzv C6Fi3N03rGFmKectijC+tws5k+P+HRG6sai33usk8xPokJqA+HYSWPz1XVlpRmv4 kdjQOdST7ovU62mOTgf3ARcduPPwuzTfxOlYONe5NioO1APVHBrInQwcpLkpOTQR vI4roIN+b75/nihUWGUJn/nbbBa2Yl0N5Gs1Tyiy9Z+CcRT2TfWKBBFlEUIFl7Mb J9fTV3DI+k+akbR4il1NkQ8EcSmCr3WpA0I9n0EHI7ZVpVaHxc0sqaPFl8YGdFHq 1Qk53C/w6+qPpDzT3yKFmG2LZytAAM1czvb6RbNRJJP2ZrpBwn/h99sUTo/yPfxY nueYmFJDm0uVNtG0icXGNUfSfnjKNTtHPAgyKGetRIC3kgJz/bo2w7EI6iEjBAzK l5TRm4x6ZJxwuXXMiJCehMMd8TC8ybwWO4AO19B3ebFFeTVsUgxSGA== -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE REQUEST----- MIIBnTCCAQYCAQAwXTELMAkGA1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRIw EAYDVQQDEwlsb2NhbGhvc3QxJzAlBgkqhkiG9w0BCQEWGGFkbWluQHNlcnZlci5l eGFtcGxlLmRvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAr1nYY1Qrll1r uB/FqlCRrr5nvupdIN+3wF7q915tvEQoc74bnu6b8IbbGRMhzdzmvQ4SzFfVEAuM MuTHeybPq5th7YDrTNizKKxOBnqE2KYuX9X22A1Kh49soJJFg6kPb9MUgiZBiMlv tb7K3CHfgw5WagWnLl8Lb+ccvKZZl+8CAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GB AHpoRp5YS55CZpy+wdigQEwjL/wSluvo+WjtpvP0YoBMJu4VMKeZi405R7o8oEwi PdlrrliKNknFmHKIaCKTLRcU59ScA6ADEIWUzqmUzP5Cs6jrSRo3NKfg1bd09D1K 9rsQkRc9Urv9mRBIsredGnYECNeRaK5R1yzpOowninXC -----END CERTIFICATE REQUEST-----
Decoding the certificate request gives the following:
openssl req -text -noout < newreq.pem
Using configuration from /usr/local/pkg/openssl/openssl.cnf Certificate Request: Data: Version: 0 (0x0) Subject: C=FR, O=Crypto, CN=localhost/[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:af:59:d8:63:54:2b:96:5d:6b:b8:1f:c5:aa:50: 91:ae:be:67:be:ea:5d:20:df:b7:c0:5e:ea:f7:5e: 6d:bc:44:28:73:be:1b:9e:ee:9b:f0:86:db:19:13: 21:cd:dc:e6:bd:0e:12:cc:57:d5:10:0b:8c:32:e4: c7:7b:26:cf:ab:9b:61:ed:80:eb:4c:d8:b3:28:ac: 4e:06:7a:84:d8:a6:2e:5f:d5:f6:d8:0d:4a:87:8f: 6c:a0:92:45:83:a9:0f:6f:d3:14:82:26:41:88:c9: 6f:b5:be:ca:dc:21:df:83:0e:56:6a:05:a7:2e:5f: 0b:6f:e7:1c:bc:a6:59:97:ef Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: md5WithRSAEncryption 7a:68:46:9e:58:4b:9e:42:66:9c:be:c1:d8:a0:40:4c:23:2f: fc:12:96:eb:e8:f9:68:ed:a6:f3:f4:62:80:4c:26:ee:15:30: a7:99:8b:8d:39:47:ba:3c:a0:4c:22:3d:d9:6b:ae:58:8a:36: 49:c5:98:72:88:68:22:93:2d:17:14:e7:d4:9c:03:a0:03:10: 85:94:ce:a9:94:cc:fe:42:b3:a8:eb:49:1a:37:34:a7:e0:d5: b7:74:f4:3d:4a:f6:bb:10:91:17:3d:52:bb:fd:99:10:48:b2: b7:9d:1a:76:04:08:d7:91:68:ae:51:d7:2c:e9:3a:8c:27:8a: 75:c2
Now, sign the certificate request:
./CA.pl -sign
Using configuration from openssl.cnf Enter PEM pass phrase: <CA's passphrase> Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'SG' organizationName :PRINTABLE:'Crypto' commonName :PRINTABLE:'localhost' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Mar 31 02:57:30 2002 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Signed certificate is in newcert.pem
That's it! The certificate, newcert.pem, and the private key - newreq.pem (encrypted) or newkey.pem (unencrypted) - are now ready to be used. You may wish to rename the files to more intuitive names.
To remove the pass phrase on an RSA private key:
openssl rsa -in key.pem -out keyout.pem
Please not that you will need to specify the password you entered earlier during the installation process for MyProfile! The full path to the openssl.cnf file must also be provided during the installation process.