su - mkdir /root/CA cd /root/CA mkdir newcerts certs crl private requests

cp /etc/ssl/openssl.cnf ./config.txt # Get a copy of the standard SSL configuration

Create some necessary files

echo '01' > serial # tracks the last serial number used by the CA touch index.txt # records which certificates have been issued

create the private key (note .key and .pem are interchangeable here)

openssl genrsa -des3 -out private/ca.key.passworded 4096 openssl rsa -in private/ca.key.passworded -out private/ca.key # remove the password for automation

create the root certificate

openssl req -new -x509 -key private/ca.key -out ca.crt -days 3650 -set_serial 0

Enter pass phrase for private/cakey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany
Organizational Unit Name (eg, section) []:MyDivision
Common Name (e.g. server FQDN or YOUR name) []:mydivision.mycompany.com
Email Address []:admin@mydivision.mycompany.com

chmod -R 600 /root/CA

Customized slightly the default openssl configuration (/etc/ssl/openssl.cnf) (basically /root/ca, ca.crt, ca.key, 3650

vi config.txt

OpenSSL example configuration file.

This is mostly being used for generation of certificate requests.

This definition stops the following lines choking if HOME isn't

defined.

HOME = /root/CA RANDFILE = $ENV::HOME/.rnd

Extra OBJECT IDENTIFIER info:

oid_file = $ENV::HOME/.oid

oid_section = new_oids

To use this configuration file with the "-extfile" option of the

"openssl x509" utility, name here the section containing the

X.509v3 extensions to use:

extensions =

(Alternatively, use a configuration file that has only

X.509v3 extensions in its main [= default] section.)

[ new_oids ]

We can add new OIDs in here for use by 'ca', 'req' and 'ts'.

Add a simple OID like this:

testoid1=1.2.3.4

Or use config file substitution like this:

testoid2=${testoid1}.5.6

Policies used by the TSA examples.

tsa_policy1 = 1.2.3.4.1 tsa_policy2 = 1.2.3.4.5.6 tsa_policy3 = 1.2.3.4.5.7

[ ca ] default_ca = CA_default # The default ca section

[ CA_default ]

dir = ./demoCA # Where everything is kept

dir = $HOME # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file.

unique_subject = no # Set to 'no' to allow creation of

                                    # several ctificates with same subject.

new_certs_dir = $dir/newcerts # default place for new certs.

certificate = $dir/cacert.pem # The CA certificate

certificate = $dir/ca.crt # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/ca.key # The private key RANDFILE = $dir/private/.rand # private random number file

x509_extensions = usr_cert # The extentions to add to the cert

Comment out the following two lines for the "traditional"

(and highly broken) format.

name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options

Extension copying option: use with caution.

copy_extensions = copy

Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs

so this is commented out by default to leave a V1 CRL.

crlnumber must also be commented out to leave a V1 CRL.

crl_extensions = crl_ext

default_days = 3650 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = default # use public key default MD preserve = no # keep passed DN ordering

A few difference way of specifying how similar the request should look

For type CA, the listed attributes must be the same, and the optional

and supplied fields are just that :-)#countryName = match

stateOrProvinceName = match

policy = policy_match

For the CA policy

[ policy_match ]

countryName = match

stateOrProvinceName = match

countryName = supplied stateOrProvinceName = supplied organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional

...

[ req ]

default_bits = 1024

default_bits = 2048

Test your new CA by creating a CSR and fulfilling the request

cd requests

openssl genrsa -out first.key 2048 # 2048 bit is safe, add -des3 to have it passworded

openssl req -new -key first.key -out first.csr -days 3650

openssl ca -config /root/CA/config.txt -batch -in first.csr -out first.crt # sign the CSR, remove batch if you want a y/n prompt

VERIFY THE CERTIFICATE MATCHES THE KEY, etc. http://kittyandbear.net/linux/openssl-java-tomcat-ssl-cert-keytool.txt

openssl ca ... failed to update database TXT_DB error number 2

Cause: trying to generate a new SSL certificate when the same common name was used before (recorded in index.txt)

Solution: 'unique_subject = no' in config.txt (openssl.cnf) AND update index.txt.attr

Ubuntu Client Local Certificates

/etc/ssl/certs # the major default certificates (.crt) /usr/local/share/ca-certificates # user imported certificates copy or create the /usr/local/share/ca-certificates/MyNewCA.crt

sudo update-ca-certificates

google chrome browser (chromium-browser)

ls -ahl ~/.pki/nssdb

-rw------- 1 ubuntu ubuntu  9216 Jul 22 11:14 cert9.db
-rw------- 1 ubuntu ubuntu 11264 Jul 22 11:14 key4.db
-rw------- 1 ubuntu ubuntu   443 Jul 22 11:14 pkcs11.txt

sudo apt-get install libnss3-tools

certutil -d sql:$HOME/.pki/nssdb/ -L # assume ~ is $HOME might be /home/ubuntu

certutil -d sql:$HOME/.pki/nssdb -A -n -i -t certutil -d sql:$HOME/.pki/nssdb -A -n 'example.com cert authority' -i example.com.root.cert -t TCP,TCP,TCP # P - Trusted Peer flag, don't even check if self-signed

certutil -d sql:$HOME/.pki/nssdb -A -n -i -t "C,," # trust args for root CA certutil -d sql:/home/ubuntu/.pki/nssdb -A -n "example.com CA" -i /usr/local/share/ca-certificates/example.com.crt -t "C,,"

firefox browser

Edit -> Preferences -> Advanced -> Certificates -> View Certificates -> Import (i.e. from /usr/local/share/ca-certificates)

nginx server side certs:

http://nginx.org/en/docs/http/configuring_https_servers.html "The server certificate must appear before the chained certificates in the combined file"

/etc/nginx/sites-available/my_site.config ... ssl_certificate /opt/certs/example.com.chain.crt; ssl_certificate_key /opt/certs/example.com.key; ...

/opt/certs/example.com.chain.crt # should have the server cert first, then intermediates, finally Root CA