SSL Certification Authority on Linux

By | 2013-03-17

SSL Certification authority

In cryptography, a certificate authority, or certification authority, (CA) is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or assertions made by the private key that corresponds to the public key that is certified. In this model of trust relationships, a CA is a trusted third party that is trusted by both the subject (owner) of the certificate and the party relying upon the certificate. CAs are characteristic of many public key infrastructure (PKI) schemes.1

Prerequisites

OpenSSL must be installed in order to create/manage certificates.

In the folder list I’m using ssl-name where name represents the entity that owns the CA.

Create folder structure

mkdir /etc/ssl-name
mkdir /etc/ssl-name/private
mkdir /etc/ssl-name/certs
mkdir /etc/ssl-name/crl
mkdir /etc/ssl-name/newcerts

Change default values in openssl.cnf

mkdir /etc/ssl-name
cp /etc/pki/tls/openssl.cnf /etc/ssl-name
vi /etc/ssl-name/openssl.cnf

In the following zones change the values:

mkdir /etc/ssl-name
[ CA_default ]

dir = /etc/ssl-name
certificate = $dir/certs/ca.crt
private_key = $dir/private/ca.key

[ req_distinguished_name ]

countryName_default = YOUR COUNTRY 2CHARS
stateOrProvinceName_default = YOUR PROVINCE NAME
localityName_default = YOUR LOCALITY NAME
0.organizationName_default = YOUR ORGANIZATION NAME
organizationalUnitName_default = YOUR ORGANIZATIONAL UNIT NAME
challengePassword_default = CHALLENGE PASSWORD
unstructuredName_default = SIMPLE NAMEFOR YOUR ORG

Initialize files with default values:

mkdir /etc/ssl-name
touch /etc/ssl-name/index.txt
echo '01' > /etc/ssl-name/serial
touch /etc/ssl-name/crlnumber
echo '00' > /etc/ssl-name/crlnumber

CA certificate

Generate CA certificate:

openssl req -config /etc/ssl-name/openssl.cnf -new -x509 -extensions v3_ca -keyout /etc/ssl-name/private/ca.key -out /etc/ssl-name/certs/ca.crt

Server Certificate

Generate a Certificate Request:

openssl req -config /etc/ssl-name/openssl.cnf -new -nodes -newkey rsa:2048 -keyout /etc/ssl-name/private/server.key -out /etc/ssl-name/server.csr -days 365

Be sure to type your service name correctly under the Common Name (CN) field (eg. www.yourservice.com)

Sign the Certificate Request

You can sign the server certificate request by issuing the following command:

openssl ca -config /etc/ssl-name/openssl.cnf -out /etc/ssl-name/certs/server.crt -infiles /etc/ssl-name/server.csr

or

openssl ca -config /etc/ssl-name/openssl.cnf -policy policy_anything -out /etc/ssl-name/certs/server.crt -infiles /etc/ssl-name/server.csr

”-policy policy_anything” it means that the fields about the Country, State or City is not required to match those of your CA’s certificate (see /etc/ssl-name/openssl.cnf).

Two files were created:

  1. /etc/ssl-name/certs/server.crt – Server certificate.
  2. /etc/ssl-name/newcerts/01.pem – Same certificate, but with the certificate serial number as a filename.

You can now delete your certificate request file

rm -rf /etc/ssl-name/server.csr

Verify Server Certificate file

To check certificate basic info issue the following command:

openssl x509 -subject -issuer -enddate -noout -in /etc/ssl-name/certs/server.crt

To check certificate “useful” info issue the following command:

openssl x509 -in /etc/ssl-name/certs/server.crt -noout -text

To check certificate is still valid to use on a sslserver, issue the following command:

openssl verify -purpose sslserver -CAfile /etc/ssl-name/certs/ca.crt /etc/ssl-name/certs/server.crt

Revoke Server Certificate

To revoke the server certificate, issue the following command:

openssl ca -config /etc/ssl-name/openssl.cnf -revoke /etc/ssl-name/certs/server.crt

After each revocation you must generate a new CRL (Certificate Revokation List):

openssl ca -config /etc/ssl-name/openssl.cnf -gencrl -out /etc/ssl-name/crl/ca.crl

Be sure distribute the CRL file to those who trust your CA (eg. publish it online)

Server Certificate file misc.

To put the server certificate and key on the same file, issue the following command:

cat /etc/ssl-name/certs/server.crt /etc/ssl-name/private/server.key > /etc/ssl-name/private/server.pem

To convert the server certificate to DER format, issue the following command:

openssl x509 -in /etc/ssl-name/certs/server.crt -inform PEM -out /etc/ssl-name/certs/server.der -outform DER

More

Can I create my own S/MIME certificate for email encryption?
Email Certificates
Issue Your Own Self-Signed S/MIME Certs with OpenSSL
How do I create a valid email certificate for Outlook S/MIME with openssl?
How To Encrypt Mails With SSL Certificates (S/MIME)
Howto: Make Your Own Cert With OpenSSL

  1. As in http://en.wikipedia.org/wiki/Certificate_authority