| |
| |
| |
| How to setup your own Certificate Authority |
| =========================================== |
| |
| |
| Note: this howto requires the openssl binary, as well as classic |
| UNIX tools (cat, touch, echo). If you use Windows, please consider |
| installing Cygwin -- see http://cygwin.com/ |
| |
| |
| 1. Configure OpenSSL |
| -------------------- |
| |
| First of all, create sslconf.txt in the current directory |
| (a basic example is provided at the end of this file). |
| |
| cat > sslconf.txt <<"EOF" |
| [paste contents here] |
| EOF |
| |
| Then you need to create the database and a starting serial number: |
| |
| touch index |
| echo "01" > serial |
| mkdir newcerts |
| |
| |
| 2. Generate the CA certificate |
| ------------------------------ |
| |
| openssl req -config sslconf.txt -days 3653 -x509 -newkey rsa:2048 \ |
| -set_serial 0 -text -keyout test-ca.key -out test-ca.crt |
| |
| |
| 3. Generate the private keys and certificate requests |
| ----------------------------------------------------- |
| |
| openssl genrsa -out server1.key 2048 |
| openssl genrsa -out server2.key 2048 |
| openssl genrsa -out client1.key 2048 |
| openssl genrsa -out client2.key 2048 |
| |
| openssl req -config sslconf.txt -new -key server1.key -out server1.req |
| openssl req -config sslconf.txt -new -key server2.key -out server2.req |
| openssl req -config sslconf.txt -new -key client1.key -out client1.req |
| openssl req -config sslconf.txt -new -key client2.key -out client2.req |
| |
| |
| 4. Issue and sign the certificates |
| ---------------------------------- |
| |
| openssl ca -config sslconf.txt -in server1.req -out server1.crt |
| openssl ca -config sslconf.txt -in server2.req -out server2.crt |
| openssl ca -config sslconf.txt -in client1.req -out client1.crt |
| openssl ca -config sslconf.txt -in client2.req -out client2.crt |
| |
| |
| 5. To revoke a certificate and update the CRL |
| --------------------------------------------- |
| |
| openssl ca -config sslconf.txt -revoke server1.crt |
| openssl ca -config sslconf.txt -revoke client1.crt |
| openssl ca -config sslconf.txt -gencrl -out crl.pem |
| |
| |
| 6. To display a certificate and verify its validity |
| --------------------------------------------------- |
| |
| openssl x509 -in server2.crt -text -noout |
| cat test-ca.crt crl.pem > ca_crl.pem |
| openssl verify -CAfile ca_crl.pem -crl_check server2.crt |
| rm ca_crl.pem |
| |
| |
| 7. To export a certificate into a .pfx file |
| ------------------------------------------- |
| |
| openssl pkcs12 -export -in client2.crt -inkey client2.key \ |
| -out client2.pfx |
| |
| |
| ##================================================================ |
| ##============== Example OpenSSL configuration file ============== |
| ##================================================================ |
| |
| # References: |
| # |
| # /etc/ssl/openssl.conf |
| # http://www.openssl.org/docs/apps/config.html |
| # http://www.openssl.org/docs/apps/x509v3_config.html |
| |
| [ ca ] |
| default_ca = my_ca |
| |
| [ my_ca ] |
| certificate = test-ca.crt |
| private_key = test-ca.key |
| database = index |
| serial = serial |
| |
| new_certs_dir = newcerts |
| default_crl_days = 60 |
| default_days = 730 |
| default_md = sha1 |
| policy = my_policy |
| x509_extensions = v3_usr |
| |
| [ my_policy ] |
| countryName = optional |
| stateOrProvinceName = optional |
| organizationName = match |
| organizationalUnitName = optional |
| commonName = supplied |
| emailAddress = optional |
| |
| [ req ] |
| distinguished_name = my_req_dn |
| x509_extensions = v3_ca |
| |
| [ my_req_dn ] |
| countryName = Country Name.............. |
| countryName_min = 2 |
| countryName_max = 2 |
| stateOrProvinceName = State or Province Name.... |
| localityName = Locality Name............. |
| 0.organizationName = Organization Name......... |
| organizationalUnitName = Org. Unit Name............ |
| commonName = Common Name (required).... |
| commonName_max = 64 |
| emailAddress = Email Address............. |
| emailAddress_max = 64 |
| |
| [ v3_ca ] |
| basicConstraints = CA:TRUE |
| subjectKeyIdentifier = hash |
| authorityKeyIdentifier = keyid:always,issuer:always |
| |
| [ v3_usr ] |
| basicConstraints = CA:FALSE |
| subjectKeyIdentifier = hash |
| authorityKeyIdentifier = keyid,issuer |