Quick & Dirty -- OpenSSL

Aus RZ-Amper Wiki
Zur Navigation springen Zur Suche springen

Root Certification Authority

Directories

Just follow these commands to setup needed directories.

mkdir -p /usr/local/etc/PKI
cd /usr/local/etc/PKI 
mkdir -p ca/root-ca/private ca/root-ca/db crl certs
mkdir -p ca/email-ca/private ca/email-ca/db crl certs
mkdir -p ca/tls-ca/private ca/tls-ca/db crl certs
chown -R root:root /usr/local/etc/PKI
chmod -R 0700 /usr/local/etc/PKI

Serial Database

Create files to keep track of serial numbers. The files must exist before the openssl ca command can be used.

cp /dev/null ca/root-ca/db/root-ca.db
cp /dev/null ca/root-ca/db/root-ca.db.attr
echo '100001' > ca/root-ca/db/root-ca.crt.srl
echo '100001' > ca/root-ca/db/root-ca.crl.srl
touch certindex.txt

Config File for SSL

Create a file using vi text editor and call it openssl.cnf. Here are the basics needed for this exercise (edit as needed):
We use one configuration file per CA:

And one configuration file per CSR type:

Create Root CA Certificate

First thing to decide is whether you want to create the private key speratly and whether you want to protect it with a passphrase. The following command creates a key pair secured with a DES passphrase. Whenever you sign a certificate with a protected key you will have to supply this passphrase.

openssl genrsa -des3 -out private/root-ca-key.pem 16384

Without securing the key with a passprase.

openssl genrsa -out private/root-ca-key.pem

The following command reads, "create a new, self-signed X.509 certificate valid until 31. Dec. 2045 23:59:59 CET, for the keypair in the file root-ca.key, place the output in the file root-ca.crt and use config file openss.cnf"

openssl req -new -x509 -sha256 -extensions v3_ca -enddate 451231235959Z -key root-ca-key.pem -out certs/root-ca-crt -config ./openssl.cnf

You may create the key pair and certificate in one go valid for one year.

openssl req -new -x509 sha256 -extensions v3_ca -days 365 -keyout private/root-ca-key.pem -out certs/cacert.pem -config ./openssl.cnf

Show content of a certificate and verify it.

openssl x509 -noout -text -in root-ca.crt

Host Certificate

Create a certificate request

openssl req -newkey rsa:1024 -keyout hostname.key -nodes -config openssl.cnf -out hostname.req

Sign the certificate request

openssl ca -config openssl.cnf -out hostname.crt -infiles hostname.req

Revocation List

Sendmail needs a revocation list file. This file can be created with the following command

openssl ca -gencrl -keyfile root-ca.key -cert root-ca.crt  -out revoke.crl -crldays 365

Links

http://pki-tutorial.readthedocs.org/en/latest/advanced/ Probably the best documentation to get.
https://www.madboa.com/geek/openssl/
https://www.seccommerce.de/en/faqs-en/28-secpki/36-certificate-generation-using-openssl.html
http://www.akadia.com/services/ssh_test_certificate.html
http://www.sans.org/reading-room/whitepapers/certificates/building-managing-pki-solution-small-medium-size-business-34445
http://www.pki.iam.metu.edu.tr/yazi-makale/ospki.pdf
http://hexeract.wordpress.com/2009/04/17/useful-openssl-one-liners/