su - mkdir /root/CA cd /root/CA mkdir newcerts certs crl private requests
cp /etc/ssl/openssl.cnf ./config.txt # Get a copy of the standard SSL configuration
Create some necessary files
echo '01' > serial # tracks the last serial number used by the CA touch index.txt # records which certificates have been issued
create the private key (note .key and .pem are interchangeable here)
openssl genrsa -des3 -out private/ca.key.passworded 4096 openssl rsa -in private/ca.key.passworded -out private/ca.key # remove the password for automation
create the root certificate
openssl req -new -x509 -key private/ca.key -out ca.crt -days 3650 -set_serial 0
Enter pass phrase for private/cakey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany
Organizational Unit Name (eg, section) []:MyDivision
Common Name (e.g. server FQDN or YOUR name) []:mydivision.mycompany.com
Email Address []:admin@mydivision.mycompany.com
chmod -R 600 /root/CA
Customized slightly the default openssl configuration (/etc/ssl/openssl.cnf) (basically /root/ca, ca.crt, ca.key, 3650
vi config.txt
OpenSSL example configuration file.
This is mostly being used for generation of certificate requests.
This definition stops the following lines choking if HOME isn't
defined.
HOME = /root/CA RANDFILE = $ENV::HOME/.rnd
Extra OBJECT IDENTIFIER info:
oid_file = $ENV::HOME/.oid
oid_section = new_oids
To use this configuration file with the "-extfile" option of the
"openssl x509" utility, name here the section containing the
X.509v3 extensions to use:
extensions =
(Alternatively, use a configuration file that has only
X.509v3 extensions in its main [= default] section.)
[ new_oids ]
We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
Add a simple OID like this:
testoid1=1.2.3.4
Or use config file substitution like this:
testoid2=${testoid1}.5.6
Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1 tsa_policy2 = 1.2.3.4.5.6 tsa_policy3 = 1.2.3.4.5.7
[ ca ] default_ca = CA_default # The default ca section
[ CA_default ]
dir = ./demoCA # Where everything is kept
dir = $HOME # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file.
unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
certificate = $dir/ca.crt # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/ca.key # The private key RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
Comment out the following two lines for the "traditional"
(and highly broken) format.
name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options
Extension copying option: use with caution.
copy_extensions = copy
Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
so this is commented out by default to leave a V1 CRL.
crlnumber must also be commented out to leave a V1 CRL.
crl_extensions = crl_ext
default_days = 3650 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = default # use public key default MD preserve = no # keep passed DN ordering
A few difference way of specifying how similar the request should look
For type CA, the listed attributes must be the same, and the optional
and supplied fields are just that :-)#countryName = match
stateOrProvinceName = match
policy = policy_match
For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
countryName = supplied stateOrProvinceName = supplied organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional
...
[ req ]
default_bits = 1024
default_bits = 2048
Test your new CA by creating a CSR and fulfilling the request
cd requests
openssl genrsa -out first.key 2048 # 2048 bit is safe, add -des3 to have it passworded
openssl req -new -key first.key -out first.csr -days 3650
openssl ca -config /root/CA/config.txt -batch -in first.csr -out first.crt # sign the CSR, remove batch if you want a y/n prompt
VERIFY THE CERTIFICATE MATCHES THE KEY, etc. http://kittyandbear.net/linux/openssl-java-tomcat-ssl-cert-keytool.txt
openssl ca ... failed to update database TXT_DB error number 2
Cause: trying to generate a new SSL certificate when the same common name was used before (recorded in index.txt)
Solution: 'unique_subject = no' in config.txt (openssl.cnf) AND update index.txt.attr
Ubuntu Client Local Certificates
/etc/ssl/certs # the major default certificates (.crt) /usr/local/share/ca-certificates # user imported certificates copy or create the /usr/local/share/ca-certificates/MyNewCA.crt
sudo update-ca-certificates
google chrome browser (chromium-browser)
ls -ahl ~/.pki/nssdb
-rw------- 1 ubuntu ubuntu 9216 Jul 22 11:14 cert9.db
-rw------- 1 ubuntu ubuntu 11264 Jul 22 11:14 key4.db
-rw------- 1 ubuntu ubuntu 443 Jul 22 11:14 pkcs11.txt
sudo apt-get install libnss3-tools
certutil -d sql:$HOME/.pki/nssdb/ -L # assume ~ is $HOME might be /home/ubuntu
certutil -d sql:$HOME/.pki/nssdb -A -n
certutil -d sql:$HOME/.pki/nssdb -A -n
firefox browser
Edit -> Preferences -> Advanced -> Certificates -> View Certificates -> Import (i.e. from /usr/local/share/ca-certificates)
nginx server side certs:
http://nginx.org/en/docs/http/configuring_https_servers.html "The server certificate must appear before the chained certificates in the combined file"
/etc/nginx/sites-available/my_site.config ... ssl_certificate /opt/certs/example.com.chain.crt; ssl_certificate_key /opt/certs/example.com.key; ...
/opt/certs/example.com.chain.crt # should have the server cert first, then intermediates, finally Root CA