Quick & Dirty -- OpenSSL

Aus RZ-Amper Wiki
Version vom 10. Juni 2020, 23:01 Uhr von WikiSysop (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „== Root Certification Authority == === Directories === Just follow these commands to setup needed directories. mkdir -p /usr/local/etc/PKI cd /usr/local/etc/…“)
(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)
Zur Navigation springen Zur Suche springen

Root Certification Authority


Just follow these commands to setup needed directories.

mkdir -p /usr/local/etc/PKI
cd /usr/local/etc/PKI 
mkdir -p ca/root-ca/private ca/root-ca/db crl certs
mkdir -p ca/email-ca/private ca/email-ca/db crl certs
mkdir -p ca/tls-ca/private ca/tls-ca/db crl certs
chown -R root:root /usr/local/etc/PKI
chmod -R 0700 /usr/local/etc/PKI

Serial Database

Create files to keep track of serial numbers. The files must exist before the openssl ca command can be used.

cp /dev/null ca/root-ca/db/root-ca.db
cp /dev/null ca/root-ca/db/root-ca.db.attr
echo '100001' > ca/root-ca/db/root-ca.crt.srl
echo '100001' > ca/root-ca/db/root-ca.crl.srl
touch certindex.txt

Config File for SSL

Create a file using vi text editor and call it openssl.cnf. Here are the basics needed for this exercise (edit as needed):
We use one configuration file per CA:

And one configuration file per CSR type:

Create Root CA Certificate

First thing to decide is whether you want to create the private key speratly and whether you want to protect it with a passphrase. The following command creates a key pair secured with a DES passphrase. Whenever you sign a certificate with a protected key you will have to supply this passphrase.

openssl genrsa -des3 -out private/root-ca-key.pem 16384

Without securing the key with a passprase.

openssl genrsa -out private/root-ca-key.pem

The following command reads, "create a new, self-signed X.509 certificate valid until 31. Dec. 2045 23:59:59 CET, for the keypair in the file root-ca.key, place the output in the file root-ca.crt and use config file openss.cnf"

openssl req -new -x509 -sha256 -extensions v3_ca -enddate 451231235959Z -key root-ca-key.pem -out certs/root-ca-crt -config ./openssl.cnf

You may create the key pair and certificate in one go valid for one year.

openssl req -new -x509 sha256 -extensions v3_ca -days 365 -keyout private/root-ca-key.pem -out certs/cacert.pem -config ./openssl.cnf

Show content of a certificate and verify it.

openssl x509 -noout -text -in root-ca.crt

Host Certificate

Create a certificate request

openssl req -newkey rsa:1024 -keyout hostname.key -nodes -config openssl.cnf -out hostname.req

Sign the certificate request

openssl ca -config openssl.cnf -out hostname.crt -infiles hostname.req

Revocation List

Sendmail needs a revocation list file. This file can be created with the following command

openssl ca -gencrl -keyfile root-ca.key -cert root-ca.crt  -out revoke.crl -crldays 365


http://pki-tutorial.readthedocs.org/en/latest/advanced/ Probably the best documentation to get.