Andrei bio photo

Andrei

Linux engineer, devops enthusiast and sys-admin/developer hybrid

Email LinkedIn Github

Overview

Ever wonder how to set up a Certificate Authority and how to propperly generate/revoke certificates? Openssl is an open source library that can help you accomplish that.

Certificate Authorities are entities that sign virtual certificates. Verisign or Digicert are some known public CA. They are most useful for public domains and certificates signed by them are not for free.

You can act as your own Certificate Authority on some cases and create your own CA for certificate management. This can be be done easily by using OpenSSL and it is best to implement on intranet systems.

openssl certificate authority

Create the RootCA PK and certificate

1. Set up directory structure

mkdir /root/ca
cd /root/ca
mkdir certs crl newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial
  • cert dir will contain certificates
  • crl will contain certification revocation lists
  • private will contain the private keys

2. Set up config file

You can find here a sample configuration file. Save it as /root/ca/openssl.cnf, it will be used later

3. Create RootCA private key

cd /root/ca
openssl genrsa -aes256 -out private/ca.key.pem 4096

Enter pass phrase for ca.key.pem: mypassword
Verifying - Enter pass phrase for ca.key.pem: mypassword

chmod 400 private/ca.key.pem
  • omitting aes256 will not set a password on your PK. It is NOT recommended on RootCA or IntermediateCA PK

4. Create the RootCA certificate

cd /root/ca

openssl req -config openssl.cnf \
      -key private/ca.key.pem \
      -new -x509 -days 7300 -sha256 -extensions v3_ca \
      -out certs/ca.cert.pem

Enter pass phrase for ca.key.pem: mypassword
You are about to be asked to enter information that will be incorporated
into your certificate request.
-----
Country Name (2 letter code) [XX]:GB
State or Province Name []:England
Locality Name []:
Organization Name []:Alice Ltd
Organizational Unit Name []:Alice Ltd Certificate Authority
Common Name []:Alice Ltd Root CA
Email Address []:

chmod 444 certs/ca.cert.pem
  • extensions v3_ca specifies the extension from openssl.conf to be used
  • set to expire after 20 years. CAs usually have a long expiry period

5. Verify the RootCA certificate

openssl x509 -noout -text -in certs/ca.cert.pem
  • Issuer and Subject will be the same as this is a self-signed certificate
  • Subject CN section specifies the Common Name of the certificate and it is used as an identity field.

Create Intermediate PK and certificate

An intermediate certificate is signed by the root certificate and it expires faster than the RootCA.

1. Setting up dir structure

mkdir /root/ca/intermediate
cd /root/ca/intermediate
mkdir certs crl csr newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial
echo 1000 > /root/ca/intermediate/crlnumber
  • crlnumber is used for tracking certificate revocation lists

2. Set up config file

You can find here a sample configuration file. Save it as /root/ca/intermediate/openssl.cnf, it will be used later

3. Create the IntermediateCA private key

cd /root/ca
openssl genrsa -aes256 \
      -out intermediate/private/intermediate.key.pem 4096

Enter pass phrase for intermediate.key.pem: mypassword
Verifying - Enter pass phrase for intermediate.key.pem: mypassword

chmod 400 intermediate/private/intermediate.key.pem

4. Create the IntermediateCA certificate

Creating an intermediate certificate consists in 2 steps:

  • create a certificate signing request using the IntermidiateCA openssl.cnf config file

  • sing the intermediate request by using the RootCA openssl.cnf config file. It will result the intermediate certificare

4.a Create the signing request
cd /root/ca
openssl req -config intermediate/openssl.cnf -new -sha256 \
      -key intermediate/private/intermediate.key.pem \
      -out intermediate/csr/intermediate.csr.pem

Enter pass phrase for intermediate.key.pem: mypassword
You are about to be asked to enter information that will be incorporated
into your certificate request.
-----
Country Name (2 letter code) [XX]:GB
State or Province Name []:England
Locality Name []:
Organization Name []:Alice Ltd
Organizational Unit Name []:Alice Ltd Certificate Authority
Common Name []:Alice Ltd Intermediate CA
Email Address []:
4.b Create the certificate
cd /root/ca
openssl ca -config openssl.cnf -extensions v3_intermediate_ca \
      -days 3650 -notext -md sha256 \
      -in intermediate/csr/intermediate.csr.pem \
      -out intermediate/certs/intermediate.cert.pem

Enter pass phrase for ca.key.pem: mypassword
Sign the certificate? [y/n]: y

chmod 444 intermediate/certs/intermediate.cert.pem

5. Verify the Intermediate certificate

openssl x509 -noout -text \
      -in intermediate/certs/intermediate.cert.pem
  • this outputs the content of the certificate
openssl verify -CAfile certs/ca.cert.pem \
      intermediate/certs/intermediate.cert.pem

intermediate.cert.pem: OK
  • this verifies IntermediateCA against the RootCA

6. Create the certificate chain

cat intermediate/certs/intermediate.cert.pem \
      certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem
chmod 444 intermediate/certs/ca-chain.cert.pem

Create a new certificate signed by the IntermediateCA

1. Create a certificate private key

cd /root/ca
openssl genrsa -aes256 \
      -out intermediate/private/www.example.com.key.pem 2048
chmod 400 intermediate/private/www.example.com.key.pem

2. Create a cert request and sign it

cd /root/ca
openssl req -config intermediate/openssl.cnf \
      -key intermediate/private/www.example.com.key.pem \
      -new -sha256 -out intermediate/csr/www.example.com.csr.pem

openssl ca -config intermediate/openssl.cnf \
      -extensions server_cert -days 375 -notext -md sha256 \
      -in intermediate/csr/www.example.com.csr.pem \
      -out intermediate/certs/www.example.com.cert.pem
chmod 444 intermediate/certs/www.example.com.cert.pem
  • Note: new server/client certificates will be signed by the IntermediateCA.
  • “extensions server_cert” is used for creating a server certificate, you can use “extensions usr_cert” for user certificates.

3. Verify the certificate

openssl verify -CAfile intermediate/certs/ca-chain.cert.pem \
      intermediate/certs/www.example.com.cert.pem

www.example.com.cert.pem: OK

*Note: this will verify the certificate against the certificate chain we’ve created before