Setup Your Own CA Using OpenSSL (Simplified)
|
Applied version
|
Setup Your Own CA Using OpenSSL (Simplified)
Create Custom-CA Signed Certificate
- Root CA: TrustMe Root CA
- Intermediate CA: TrustMe Intermediate CA L1M
- Signed Server Certificate: device.home.net
0. Initial (Figure 1)
- cd /root/home4.net/
- Upload initial files (scripts + config files)
- Make the scripts executable
- chmod +x *.sh
- Generate Root CA certificate (Figure 2,3)
- Scripts (for ease deployment)
- ./openssl-gen-rca-crt.sh
- Generate private key
- openssl genrsa -aes256 -passout pass:Passw0rd-rc@ -out TrustMe_RCA.key 2048
- > RSA private key with 2048-bit key length
- > Encrypt the private key with AES 256-bit and passphrase: Passw0rd-rc@
- openssl genrsa -aes256 -passout pass:Passw0rd-rc@ -out TrustMe_RCA.key 2048
- Add details and custom extensions to the config file
- cat TrustMe_RCA.cfg
- [req]
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_rca
prompt = no - [req_distinguished_name]
C = SG
L = Singapore
O = TrustMe, Inc.
OU = (c) 2009 TrustMe, Inc. – for authorized use only
CN = TrustMe Root CA - [req_attributes]
- [v3_rca]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
basicConstraints = CA:true,pathlen:1
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyCertSign, cRLSign
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
subjectAltName = @alt_names - [alt_names]
DNS.1 = TrustMe Root CA G1
DNS.2 = TrustMe Root CA G2
- [req]
- Notes
- > Basic constraints: This is a CA certificate with a maximum 1 intermediate CA certificate comes after this certificate
- cat TrustMe_RCA.cfg
- Generate certificate (with public key inside)
- openssl req -x509 -new -key TrustMe_RCA.key -passin pass:Passw0rd-rc@ -sha256 -days 3650 -out TrustMe_RCA.crt -config TrustMe_RCA.cfg
- > Signature algorithm: SHA-2 (256-bit) with RSA encryption
- > Validity period: 10 years (3650 days)
- > config: TrustMe_RCA.cfg
- openssl req -x509 -new -key TrustMe_RCA.key -passin pass:Passw0rd-rc@ -sha256 -days 3650 -out TrustMe_RCA.crt -config TrustMe_RCA.cfg
- Scripts (for ease deployment)
- Generate Intermediate CA certificate (Figure 4-6)
- Scripts (for ease deployment)
- ./openssl-gen-ica-csr.sh
- ./openssl-sign-ica-csr.sh
- Add details and custom extensions to the config file
- cat TrustMe_ICA.cfg
- [req]
distinguished_name = req_distinguished_name
attributes = req_attributes
req_extensions = v3_ica
prompt = no - [req_distinguished_name]
C = SG
L = Singapore
O = TrustMe, Inc.
OU = (c) 2009 TrustMe, Inc. – for authorized use only
CN = TrustMe Intermediate CA L1M - [req_attributes]
- [v3_ica]
subjectKeyIdentifier=hash
basicConstraints=CA:TRUE,pathlen:0
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyCertSign, cRLSign
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
subjectAltName = @alt_names - [alt_names]
DNS.1 = TrustMe Intermediate CA L1-1M
DNS.2 = TrustMe Intermediate CA L1-2M
- [req]
- cat TrustMe_ICA.cfg
- Generate private key and CSR
- openssl req -nodes -newkey rsa:2048 -keyout TrustMe_ICA.key -passout pass:Passw0rd-ic@ -out TrustMe_ICA.csr -sha256 -config TrustMe_ICA.cfg
- > RSA private key with 2048-bit key length
- > Encrypt the private key with AES 256-bit and passphrase: Passw0rd-ic@
- > CSR Signature algorithm: SHA-2 (256-bit) with RSA encryption
- openssl req -nodes -newkey rsa:2048 -keyout TrustMe_ICA.key -passout pass:Passw0rd-ic@ -out TrustMe_ICA.csr -sha256 -config TrustMe_ICA.cfg
- Add new custom OpenSSL extension file (to add custom extensions)
- vi TrustMe_ICA.ext
- subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:TRUE,pathlen:0
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyCertSign, cRLSign
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
subjectAltName = @alt_names
[alt_names]
DNS.1 = TrustMe Intermediate CA L1-1M
DNS.2 = TrustMe Intermediate CA L1-2M
- subjectKeyIdentifier=hash
- Notes
- > Basic constraints: This is a CA certificate with a maximum zero (0) intermediate CA certificate comes after this certificate
- > In the CSR file, the custom extensions has been embedded, but because we are using “openssl x509” (simple CA implementation)
- We can’t copy and use the custom extensions from CSR file, that’s why another .ext file is required
- Use “openssl ca” to make use of “copy_extensions = copyall”, all extensions in the request are copied to the certificate
- The copy_extensions option should be used with caution (please read the online article)
- vi TrustMe_ICA.ext
- Generate and sign the certificate (with public key inside)
- openssl x509 -req -in TrustMe_ICA.csr -CA TrustMe_RCA.crt -CAkey TrustMe_RCA.key -passin pass:Passw0rd-rc@ -CAcreateserial -out TrustMe_ICA.crt -days 3650 -sha256 -extfile TrustMe_ICA.ext
- > Signature algorithm: SHA-2 (256-bit) with RSA encryption
- > Validity period: 10 years (3650 days)
- > Custom extensions: TrustMe_ICA.ext
-
- openssl x509 -req -in TrustMe_ICA.csr -CA TrustMe_RCA.crt -CAkey TrustMe_RCA.key -passin pass:Passw0rd-rc@ -CAcreateserial -out TrustMe_ICA.crt -days 3650 -sha256 -extfile TrustMe_ICA.ext
- Scripts (for ease deployment)
- Generate Signed Server certificate (Figure 7-11)
-
- Scripts (for ease deployment)
- ./openssl-gen-csr.sh
- ./openssl-sign-csr.sh
- Add details and custom extensions to the config file
- cat ltm201.home.net.cfg
- [req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = SG
L = Singapore
O = XYZ Pte. Ltd.
OU = IT Division
CN = ltm201.home.net[req] - [v3_req]
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = @alt_names - [alt_names]
DNS.1 = ltm201.home.net
DNS.2 = partners.home.net
DNS.3 = downloads.home.net
- [req]
- cat ltm201.home.net.cfg
- Generate private key and CSR
- openssl req -nodes -newkey rsa:2048 -keyout ltm201.home.net.key -out ltm201.home.net.csr -sha256 -config ltm201.home.net.cfg
- > Signature algorithm: SHA-2 (256-bit) with RSA encryption
- openssl req -nodes -newkey rsa:2048 -keyout ltm201.home.net.key -out ltm201.home.net.csr -sha256 -config ltm201.home.net.cfg
- Add new custom OpenSSL extension file (to add custom extensions)
- cat ltm201.home.net.ext
- subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = ltm201.home.net
DNS.2 = partners.home.net
DNS.3 = downloads.home.net
- subjectKeyIdentifier=hash
- Notes
- > Basic constraints: This is NOT a CA certificate
- > In the CSR file, the custom extensions has been embedded, but because we are using “openssl x509” (simple CA implementation)
- We can’t copy and use the custom extensions from CSR file, that’s why another .ext file is required
- Use “openssl ca” to make use of “copy_extensions = copyall”, all extensions in the request are copied to the certificate
- The copy_extensions option should be used with caution (please read the online article)
- cat ltm201.home.net.ext
- Generate and sign the certificate (with public key inside)
- openssl x509 -req -in ltm201.home.net.csr -CA TrustMe_ICA.crt -CAkey TrustMe_ICA.key -passin pass:Passw0rd-ic@ -CAcreateserial -out ltm201.home.net.crt -days 3650 -sha256 -extfile ltm201.home.net.ext
- Scripts (for ease deployment)
-
- Verification (Figure 12)
- Create CA-bundle certificate
- cat TrustMe_RCA.crt <(echo) TrustMe_ICA.crt > TrustMe_CA-bundle.crt
- Verify signed server certificate
- openssl verify -purpose sslserver -CAfile TrustMe_CA-bundle.crt ltm201.home.net.crt
- > ltm201.home.net.crt: OK
- openssl verify -purpose sslserver -CAfile TrustMe_CA-bundle.crt ltm201.home.net.crt
- Create CA-bundle certificate
0. Command-Line Interface Logs
- Openssl_CA_Scripts
- Openssl_Server_Scripts
- Convert from notepad++ format to linux: sed -i -e ‘s/r$//’ <script_name>.sh
0 Comments