tech pit

HOWTO setup and use OpenSSL local CA capabilities

Some weeks ago, to debug one of my programs, I needed my certification authority to produce my certificates, because self-signed certificates cannot be used anymore.

After some days of investigations, I tracked down the process of setting up a local certification authority to produce all needed certificates using OpenSSL.exe (included in the library package) using the included OpenSSL.cfg.

step 1 – create the needed folder-tree

In the ‘OpenSSL\bin‘ folder, create ‘demoCA‘ folder, and in this one follow these steps:

  • create folder ‘crl‘,
  • create folder ‘newcerts‘ (it is used to store signed certificates),
  • create folder ‘private‘ (it is used to store CA private keys),
  • create empty file ‘serial‘,
  • create text file ‘index.txt‘ containing ’01’
  • create ‘ca.cnf‘ file with the contents below:
# OpenSSL CA configuration file
[ ca ]
default_ca = CA_default[ CA_default ]
default_days = 36500
database = index.txt
serial = serial.txt
default_md = sha256
copy_extensions = copy
unique_subject = no
# Used to create the CA certificate.
[ req ]
prompt=no
distinguished_name = distinguished_name
x509_extensions = extensions[ distinguished_name ]
countryName = {country name 2 chars}
stateOrProvinceName = {your state}
organizationName = {your organization name}
commonName = {common name}
[ extensions ]
keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,keyCertSign
basicConstraints = critical,CA:true,pathlen:1
# Common policy for nodes and users.
[ signing_policy ]
organizationName = supplied
countryName = optional
stateOrProvinceName = optional
commonName = optional# Used to sign node certificates.
[ signing_node_req ]
keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth,clientAuth
# Used to sign client certificates.
[ signing_client_req ]
keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = clientAuth
  • create ‘node.cnf‘ file with the contents below:
# OpenSSL node configuration file
[ req ]
prompt=no
distinguished_name = distinguished_name
req_extensions = extensions[ distinguished_name ]
organizationName = test lab[ extensions ]
subjectAltName = critical,DNS:[node-hostname],DNS:[node-domain],IP:[IP Address]
  • create ‘client.cnf‘ file with the contents below:
[ req ]
prompt=no
distinguished_name = distinguished_name
req_extensions = extensions[ distinguished_name ]
countryName = {country name 2 chars}
stateOrProvinceName = {your state}
organizationName = {your organization name}
commonName =[ extensions ]
subjectAltName = DNS:root

 

In all these .cnf files, countryName, stateOrProvinceName, and organizationName shall have the same values.

In addition, in ‘ca.cnf‘, you have to set:

  • default_days with your CA keys’ days of life.
  • commonName with proper value.

After these steps, we are ready to create our CA key.

step 2 – create CA dedicated key

To create a dedicated key, type the command below:

.\openssl.exe genrsa -out .\demoCA\private\cakey.pem -3 2048

then produce CA key certificate, by typing the command below:

.\openssl.exe req -x509 -batch -config .\demoCA\ca.cnf -key .\demoCA\private\cakey.pem -out .\demoCA\cacert.pem

step 3 – generate your client certificates

Now we are ready to generate a new client key by typing the command below:

.\openssl.exe genrsa -out my_key.pem -3 2048

and generate the certificate request by typing the command below:

.\openssl.exe req -new -batch -config .\demoCA\client.cnf -key my_key.pem -out my_csr.pem

At this point, we can use our new certification authority to produce the certificate:

.\openssl.exe ca -in my_csr.pem -out my_crt.pem

step 4 – the produced files

Finally, now we have:

  • my_key.pem – our private key
  • my_crt.pem – the related certificate
  • cacert.pem – the CA certificate to verify my_crt.pem
Post Views: 134