Setup Your Own CA Using OpenSSL

Setup Your Own CA Using OpenSSL

Create Custom-CA Signed Certificate

• Root CA: TrustMe Root CA
• Intermediate CA: TrustMe Intermediate CA L1M
• Signed Server Certificate: www.xyz.com

0. Change Directory

• cd /var/tmp

1. Generate Root CA certificate
   • Generate private key
     • openssl genrsa -aes256 -passout pass:Passw0rd-rc@ -out TrustMe_RCA.key 2048
       • > RSA private key with 2048-bit key length
       • > Encrypt the private key with AES 256-bit and passphrase: Passw0rd-rc@
   • Add custom extensions to the OpenSSL config file
     • vi /etc/pki/tls/openssl.cnf
       • [ ext_ca_custom ]
       • # PKIX recommendations harmless if included in all certificates.
       • subjectKeyIdentifier=hash
       • authorityKeyIdentifier=keyid,issuer
       • basicConstraints=CA:TRUE,pathlen:1
       • keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyCertSign, cRLSign
       • extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
       • subjectAltName = @alt_names
       • [alt_names]
       • DNS.1 = TrustMe Root CA G1
       • DNS.2 = TrustMe Root CA G2
     • Notes
       • > Basic constraints: This is a CA certificate with a maximum 1 intermediate CA certificate comes after this certificate
   • Generate certificate (with public key inside)
     • openssl req -x509 -new -key TrustMe_RCA.key -sha256 -days 7300 -extensions ext_ca_custom -out TrustMe_RCA.crt
       • > Signature algorithm: SHA-2 (256-bit) with RSA encryption
       • > Validity period: 20 years (7300 days)
       • > Custom extensions: [ ext_ca_custom ]
     • Country Name:SG
     • State or Province Name:<no value>
     • Locality Name:Singapore
     • Organization Name:TrustMe, Inc.
     • Organizational Unit Name:(c) 2009 TrustMe, Inc. – for authorized use only
     • Common Name:TrustMe Root CA
     • Email Address:<just leave empty>
2. Generate Intermediate CA certificate
   • Generate private key
     • openssl genrsa -aes256 -passout pass:Passw0rd-ic@ -out TrustMe_ICA.key 2048
       • > RSA private key with 2048-bit key length
       • > Encrypt the private key with AES 256-bit and passphrase: Passw0rd-ic@
   • Generate CSR
     • openssl req -new -sha256 -key TrustMe_ICA.key -out TrustMe_ICA.csr
       • > Signature algorithm: SHA-2 (256-bit) with RSA encryption
     • Country Name:SG
     • State or Province Name:<no value>
     • Locality Name:Singapore
     • Organization Name:TrustMe, Inc.
     • Organizational Unit Name:(c) 2014 TrustMe, Inc. – for authorized use only
     • Common Name:TrustMe Intermediate CA L1M
     • Email Address:<just leave empty>
     • A challenge password:<just leave empty>
     • An optional company name:<just leave empty>
   • Create new custom OpenSSL config file (for adding custom extensions)
     • vi TrustMe_ICA.ext
       • # PKIX recommendations harmless if included in all certificates.
       • subjectKeyIdentifier=hash
       • authorityKeyIdentifier=keyid,issuer
       • basicConstraints=CA:TRUE,pathlen:0
       • keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyCertSign, cRLSign
       • extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
       • subjectAltName = @alt_names
       • [alt_names]
       • DNS.1 = TrustMe Intermediate CA L1-1M
       • DNS.2 = TrustMe Intermediate CA L1-2M
     • Notes
       • > Basic constraints: This is a CA certificate with a maximum zero (0) intermediate CA certificate comes after this certificate
   • Generate and sign the certificate (with public key inside)
     • openssl x509 -req -in TrustMe_ICA.csr -CA TrustMe_RCA.crt -CAkey TrustMe_RCA.key -CAcreateserial -out TrustMe_ICA.crt -days 3650 -sha256 -extfile TrustMe_ICA.ext
       • > Signature algorithm: SHA-2 (256-bit) with RSA encryption
       • > Validity period: 10 years (3650 days)
       • > Custom extensions: TrustMe_ICA.ext
3. Generate Signed Server certificate (old complex method)
   • • Generate private key
       • openssl genrsa -aes256 -passout pass:Passw0rd-svr -out www.xyz.com.key 2048
         • > RSA private key with 2048-bit key length
         • > Encrypt the private key with AES 256-bit and passphrase: Passw0rd-svr
     • Generate CSR
       • openssl req -new -sha256 -key www.xyz.com.key -out www.xyz.com.csr
         • > Signature algorithm: SHA-2 (256-bit) with RSA encryption
       • Country Name:SG
       • State or Province Name:<no value>
       • Locality Name:Singapore
       • Organization Name:XYZ Pte. Ltd.
       • Organizational Unit Name:IT Division
       • Common Name:www.xyz.com
       • Email Address:<just leave empty>
       • A challenge password:<just leave empty>
       • An optional company name:<just leave empty>
     • Create new custom OpenSSL config file (for adding custom extensions)
       • vi www.xyz.com.ext
         • # PKIX recommendations harmless if included in all certificates.
         • subjectKeyIdentifier=hash
         • authorityKeyIdentifier=keyid,issuer
         • basicConstraints=CA:FALSE
         • keyUsage = digitalSignature, keyEncipherment
         • extendedKeyUsage = serverAuth, clientAuth
         • subjectAltName = @alt_names
         • [alt_names]
         • DNS.1 = www.xyz.com
         • DNS.2 = partners.xyz.com
         • DNS.3 = downloads.xyz.com
       • Notes
         • > Basic constraints: This is a non-CA certificate with no limitation of maximum intermediate CA certificate comes after this certificate
     • Generate and sign the certificate (with public key inside)
       • openssl x509 -req -in www.xyz.com.csr -CA TrustMe_ICA.crt -CAkey TrustMe_ICA.key -CAcreateserial -out www.xyz.com.crt -days 730 -sha256 -extfile www.xyz.com.ext
         • > Signature algorithm: SHA-2 (256-bit) with RSA encryption
         • > Validity period: 2 years (730 days)
         • > Custom extensions: www.xyz.com.ext
4. Generate Signed Server certificate (new simplified)
   • • Generate private key and CSR
       • openssl req -nodes -newkey rsa:2048 -keyout www.xyz.com.key -out www.xyz.com.csr -sha256 -config www.xyz.com.conf
         • > Signature algorithm: SHA-2 (256-bit) with RSA encryption
     • www.xyz.com.conf
       • vi www.xyz.com.conf
         • [req]
         • distinguished_name = req_distinguished_name
         • req_extensions = v3_req
         • prompt = no
         • [req_distinguished_name]
         • C = SG
         • L = Singapore
         • O = XYZ Pte. Ltd.
         • OU = IT Division
         • CN = www.xyz.com
         • [v3_req]
         • keyUsage = digitalSignature, keyEncipherment, dataEncipherment
         • extendedKeyUsage = clientAuth, serverAuth
         • subjectAltName = @alt_names
         • [alt_names]
         • DNS.1 = www.xyz.com
         • DNS.2 = partners.xyz.com
         • DNS.3 = downloads.xyz.com
     • Generate and sign the certificate (with public key inside)
       • openssl x509 -req -in www.xyz.com.csr -CA TrustMe_ICA.crt -CAkey TrustMe_ICA.key  -passin pass:Passw0rd-ic@ -CAcreateserial -out www.xyz.com.crt -days 730 -sha256
         • > Signature algorithm: SHA-2 (256-bit) with RSA encryption
         • > Validity period: 2 years (730 days)
5. Verification
   • Create CA-bundle certificate
     • cat /var/tmp/TrustMe_RCA.crt <(echo -e \\r) /var/tmp/TrustMe_ICA.crt > /var/tmp/TrustMe_CA-bundle.crt
   • Verify signed server certificate
     • openssl verify -purpose sslserver -CAfile /var/tmp/TrustMe_CA-bundle.crt /var/tmp/www.xyz.com.crt
       • > /var/tmp/www.xyz.com.crt: OK
   • Install/import Root CA certificate to the client system
     • Import to Local Machine > Certificate store: Trusted Root Certification Authorities
   • Test the HTTPS access
     • Install/import the Signed Server certificate to web server (as server SSL certificate)
     • Install/import the CA-bundle certificate to web server (as chain SSL certificate)
     • Access URL https://www.xyz.com/

0. Command-Line Interface Logs

• RCA Log
• ICA Log
• SVR Log
• openssl_cfg_and_script
  • Convert from notepad++ format to linux: sed -i -e ‘s/\r$//’ <script_name>.sh