Openssl: Create a root CA

2 clicks for more data protection: Only when you click here, the button will be come active and you can send your recommendation to Flattr. When activating, data are transmitted to third parties. nicht mit Flattr verbunden
When you activate these fields by clicking, information to Flattr may be transferred abroad, and probably may also stored there.

Hi,

steps to create a CA. Create the CA structure in filesystem

mkdir -p CA
mkdir -p CA/crl CA/certs CA/newcerts CA/private CA/conf

Create the openssl config file /root/CA/conf/openssl.cnf

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

#
# openssl.cnf root CA config 
#
# /root/CA/conf/openssl.cnf
#
[ ca ]
default_ca = myCARoot
 
[ myCARoot ]
# Directory and file locations.
dir               = /root/CA
certs             = $dir/certs
crl_dir           = $dir/crl
new_certs_dir     = $dir/newcerts
database          = $dir/index.txt
serial            = $dir/serial
RANDFILE          = $dir/private/.rand
 
# The root key and root certificate.
private_key       = $dir/private/ca.key
certificate       = $dir/certs/ca.cer
 
# For certificate revocation lists.
crlnumber         = $dir/crlnumber
crl               = $dir/crl/crl.pem
crl_extensions    = crl_ext
default_crl_days  = 90
 
# Use at least sha256
default_md        = sha256
 
name_opt          = ca_default
cert_opt          = ca_default
default_days      = 3650
preserve          = no
policy            = policy_strict
 
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
 
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
 
[ req ]
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only
 
# Use at least sha256
default_md          = sha256
 
# Extension for -x509 option
x509_extensions     = v3_root_ca
 
[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address
 
# Defaults
countryName_default             = DE
stateOrProvinceName_default     = Germany
localityName_default            = Nuremberg
0.organizationName_default      = my Company
organizationalUnitName_default  = my Department
emailAddress_default            = me@mycompany.org
 
[ v3_root_ca ]
# Extensions for the CA
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
#keyUsage = critical, digitalSignature, cRLSign, keyCertSign
keyUsage = critical, cRLSign, keyCertSign
crlDistributionPoints=URI:http://yourDomain.org/crl/intermediateca-ca-crl.pem
 
[ v3_intermediate_ca ]
# Extensions for the intermediate CA
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
#keyUsage = critical, digitalSignature, cRLSign, keyCertSign
keyUsage = critical, cRLSign, keyCertSign
 
[ client_cert ]
# Extensions for client certificates
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
 
[ server_cert ]
# Extensions for server certificates
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth,clientAuth
 
[ crl_ext ]
# Extension for CRL
authorityKeyIdentifier=keyid:always
 
[ ocsp ]
# Extension for OCSP signing certificates
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning

create index und serial file

cd CA
touch index.txt
echo 1000 > crlnumber
echo 1000 > serial

If specified, openssl using the config defined at environment variable OPENSSL_CONF. Otherwise you have to set command line option -config for each command line call

export OPENSSL_CONF=/root/CA/conf/openssl.cnf
openssl genrsa -aes256 -out private/ca.key -passout pass:YourSecurePassword 4096
chmod 400 private/ca.key

Show key details

1	`openssl rsa -in` `private/ca.key -text`

Create the selfsigned certificate.

openssl req -key private/ca.key -new -x509 -days 3650 -sha256 -extensions v3_root_ca -out certs/ca.cer -subj "/C=DE/ST=Frankonia/L=Nuremberg/O=my Company/OU=my Department/CN=My root CA 2017" -passin pass:YourSecurePassword

View details of your new CA Root certificate

1	`openssl x509 -in` `certs/ca.cer -text`

That’s it

Next article is to create a intermediate CA

Michael

Michls Tech Blog

Openssl: Create a root CA

Leave a Reply Cancel reply

My Knowledgebase for things about Linux, Windows, VMware, Electronic and so on…