SSL Certification authority
In cryptography, a certificate authority, or certification authority, (CA) is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or assertions made by the private key that corresponds to the public key that is certified. In this model of trust relationships, a CA is a trusted third party that is trusted by both the subject (owner) of the certificate and the party relying upon the certificate. CAs are characteristic of many public key infrastructure (PKI) schemes.1
Prerequisites
OpenSSL must be installed in order to create/manage certificates.
In the folder list I’m using ssl-name where name represents the entity that owns the CA.
Create folder structure
mkdir /etc/ssl-name
mkdir /etc/ssl-name/private
mkdir /etc/ssl-name/certs
mkdir /etc/ssl-name/crl
mkdir /etc/ssl-name/newcerts
Change default values in openssl.cnf
mkdir /etc/ssl-name
cp /etc/pki/tls/openssl.cnf /etc/ssl-name
vi /etc/ssl-name/openssl.cnf
In the following zones change the values:
mkdir /etc/ssl-name
[ CA_default ]
dir = /etc/ssl-name
certificate = $dir/certs/ca.crt
private_key = $dir/private/ca.key
[ req_distinguished_name ]
countryName_default = YOUR COUNTRY 2CHARS
stateOrProvinceName_default = YOUR PROVINCE NAME
localityName_default = YOUR LOCALITY NAME
0.organizationName_default = YOUR ORGANIZATION NAME
organizationalUnitName_default = YOUR ORGANIZATIONAL UNIT NAME
challengePassword_default = CHALLENGE PASSWORD
unstructuredName_default = SIMPLE NAMEFOR YOUR ORG
Initialize files with default values:
mkdir /etc/ssl-name
touch /etc/ssl-name/index.txt
echo '01' > /etc/ssl-name/serial
touch /etc/ssl-name/crlnumber
echo '00' > /etc/ssl-name/crlnumber
CA certificate
Generate CA certificate:
openssl req -config /etc/ssl-name/openssl.cnf -new -x509 -extensions v3_ca -keyout /etc/ssl-name/private/ca.key -out /etc/ssl-name/certs/ca.crt
Server Certificate
Generate a Certificate Request:
openssl req -config /etc/ssl-name/openssl.cnf -new -nodes -newkey rsa:2048 -keyout /etc/ssl-name/private/server.key -out /etc/ssl-name/server.csr -days 365
Be sure to type your service name correctly under the Common Name (CN) field (eg. www.yourservice.com)
Sign the Certificate Request
You can sign the server certificate request by issuing the following command:
openssl ca -config /etc/ssl-name/openssl.cnf -out /etc/ssl-name/certs/server.crt -infiles /etc/ssl-name/server.csr
or
openssl ca -config /etc/ssl-name/openssl.cnf -policy policy_anything -out /etc/ssl-name/certs/server.crt -infiles /etc/ssl-name/server.csr
”-policy policy_anything” it means that the fields about the Country, State or City is not required to match those of your CA’s certificate (see /etc/ssl-name/openssl.cnf).
Two files were created:
- /etc/ssl-name/certs/server.crt – Server certificate.
- /etc/ssl-name/newcerts/01.pem – Same certificate, but with the certificate serial number as a filename.
You can now delete your certificate request file
rm -rf /etc/ssl-name/server.csr
Verify Server Certificate file
To check certificate basic info issue the following command:
openssl x509 -subject -issuer -enddate -noout -in /etc/ssl-name/certs/server.crt
To check certificate “useful” info issue the following command:
openssl x509 -in /etc/ssl-name/certs/server.crt -noout -text
To check certificate is still valid to use on a sslserver, issue the following command:
openssl verify -purpose sslserver -CAfile /etc/ssl-name/certs/ca.crt /etc/ssl-name/certs/server.crt
Revoke Server Certificate
To revoke the server certificate, issue the following command:
openssl ca -config /etc/ssl-name/openssl.cnf -revoke /etc/ssl-name/certs/server.crt
After each revocation you must generate a new CRL (Certificate Revokation List):
openssl ca -config /etc/ssl-name/openssl.cnf -gencrl -out /etc/ssl-name/crl/ca.crl
Be sure distribute the CRL file to those who trust your CA (eg. publish it online)
Server Certificate file misc.
To put the server certificate and key on the same file, issue the following command:
cat /etc/ssl-name/certs/server.crt /etc/ssl-name/private/server.key > /etc/ssl-name/private/server.pem
To convert the server certificate to DER format, issue the following command:
openssl x509 -in /etc/ssl-name/certs/server.crt -inform PEM -out /etc/ssl-name/certs/server.der -outform DER
More
Can I create my own S/MIME certificate for email encryption?
Email Certificates
Issue Your Own Self-Signed S/MIME Certs with OpenSSL
How do I create a valid email certificate for Outlook S/MIME with openssl?
How To Encrypt Mails With SSL Certificates (S/MIME)
Howto: Make Your Own Cert With OpenSSL