145 lines
4.3 KiB
Plaintext
145 lines
4.3 KiB
Plaintext
|
|
|
|
|
|
How to setup your own Certificate Authority
|
|
===========================================
|
|
|
|
|
|
Note: this howto requires the openssl binary, as well as classic
|
|
UNIX tools (cat, touch, echo). If you use Windows, please consider
|
|
installing Cygwin -- see http://cygwin.com/
|
|
|
|
|
|
1. Configure OpenSSL
|
|
--------------------
|
|
|
|
First of all, create sslconf.txt in the current directory
|
|
(a basic example is provided at the end of this file).
|
|
|
|
cat > sslconf.txt <<"EOF"
|
|
[paste contents here]
|
|
EOF
|
|
|
|
Then you need to create the database and a starting serial number:
|
|
|
|
touch index
|
|
echo "01" > serial
|
|
mkdir newcerts
|
|
|
|
|
|
2. Generate the CA certificate
|
|
------------------------------
|
|
|
|
openssl req -config sslconf.txt -days 3653 -x509 -newkey rsa:2048 \
|
|
-set_serial 0 -text -keyout test-ca.key -out test-ca.crt
|
|
|
|
|
|
3. Generate the private keys and certificate requests
|
|
-----------------------------------------------------
|
|
|
|
openssl genrsa -out server1.key 2048
|
|
openssl genrsa -out server2.key 2048
|
|
openssl genrsa -out client1.key 2048
|
|
openssl genrsa -out client2.key 2048
|
|
|
|
openssl req -config sslconf.txt -new -key server1.key -out server1.req
|
|
openssl req -config sslconf.txt -new -key server2.key -out server2.req
|
|
openssl req -config sslconf.txt -new -key client1.key -out client1.req
|
|
openssl req -config sslconf.txt -new -key client2.key -out client2.req
|
|
|
|
|
|
4. Issue and sign the certificates
|
|
----------------------------------
|
|
|
|
openssl ca -config sslconf.txt -in server1.req -out server1.crt
|
|
openssl ca -config sslconf.txt -in server2.req -out server2.crt
|
|
openssl ca -config sslconf.txt -in client1.req -out client1.crt
|
|
openssl ca -config sslconf.txt -in client2.req -out client2.crt
|
|
|
|
|
|
5. To revoke a certificate and update the CRL
|
|
---------------------------------------------
|
|
|
|
openssl ca -config sslconf.txt -revoke server1.crt
|
|
openssl ca -config sslconf.txt -revoke client1.crt
|
|
openssl ca -config sslconf.txt -gencrl -out crl.pem
|
|
|
|
|
|
6. To display a certificate and verify its validity
|
|
---------------------------------------------------
|
|
|
|
openssl x509 -in server2.crt -text -noout
|
|
cat test-ca.crt crl.pem > ca_crl.pem
|
|
openssl verify -CAfile ca_crl.pem -crl_check server2.crt
|
|
rm ca_crl.pem
|
|
|
|
|
|
7. To export a certificate into a .pfx file
|
|
-------------------------------------------
|
|
|
|
openssl pkcs12 -export -in client2.crt -inkey client2.key \
|
|
-out client2.pfx
|
|
|
|
|
|
##================================================================
|
|
##============== Example OpenSSL configuration file ==============
|
|
##================================================================
|
|
|
|
# References:
|
|
#
|
|
# /etc/ssl/openssl.conf
|
|
# http://www.openssl.org/docs/apps/config.html
|
|
# http://www.openssl.org/docs/apps/x509v3_config.html
|
|
|
|
[ ca ]
|
|
default_ca = my_ca
|
|
|
|
[ my_ca ]
|
|
certificate = test-ca.crt
|
|
private_key = test-ca.key
|
|
database = index
|
|
serial = serial
|
|
|
|
new_certs_dir = newcerts
|
|
default_crl_days = 60
|
|
default_days = 730
|
|
default_md = sha1
|
|
policy = my_policy
|
|
x509_extensions = v3_usr
|
|
|
|
[ my_policy ]
|
|
countryName = optional
|
|
stateOrProvinceName = optional
|
|
organizationName = match
|
|
organizationalUnitName = optional
|
|
commonName = supplied
|
|
emailAddress = optional
|
|
|
|
[ req ]
|
|
distinguished_name = my_req_dn
|
|
x509_extensions = v3_ca
|
|
|
|
[ my_req_dn ]
|
|
countryName = Country Name..............
|
|
countryName_min = 2
|
|
countryName_max = 2
|
|
stateOrProvinceName = State or Province Name....
|
|
localityName = Locality Name.............
|
|
0.organizationName = Organization Name.........
|
|
organizationalUnitName = Org. Unit Name............
|
|
commonName = Common Name (required)....
|
|
commonName_max = 64
|
|
emailAddress = Email Address.............
|
|
emailAddress_max = 64
|
|
|
|
[ v3_ca ]
|
|
basicConstraints = CA:TRUE
|
|
subjectKeyIdentifier = hash
|
|
authorityKeyIdentifier = keyid:always,issuer:always
|
|
|
|
[ v3_usr ]
|
|
basicConstraints = CA:FALSE
|
|
subjectKeyIdentifier = hash
|
|
authorityKeyIdentifier = keyid,issuer
|
|
|