OpenSSL is also an excellent tool for creating Certificate Authorities and generating digital certificates. In this part we will see how we can create a Certificate Authority, generate requests for digital certificates and issue those digital certificates. On most of this commands, we are going to use the file. This openssl.cnf file is usually distributed with the Openssl distribution.
Create a certification authority
To create our own Certificate Authority (CA) we will create a folder structure that contains a series of CA information.
mkdir private certs newcerts crl
Next we create two files that serve as a database for storing some of CA's supporting information:
touch index.txt
echo '01' > serial
And we will create the application for the certificate itself based on a set of characteristics:
We will use the OpenSSL configuration file (it will come with your OpenSSL installation)
The output will be generated in an X.509 structure
We specify what a set of extensions will contain
We specify where the key pair and certificate will be stored
We specify that the certificate will be generated for a period of 5 years (1825 days)
Use this command (parts of the command, depend on the configuration present in openssl.cnf, namely the -extensions):
Generating a 1024 bit RSA private key
..++++++
.......++++++
writing new private key to 'private/ca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:PT
State or Province Name (full name) [Some-State]:Lisboa
Locality Name (eg, city) []:Lisboa
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ISCTE-IUL
Organizational Unit Name (eg, section) []:ISTA
Common Name (e.g. server FQDN or YOUR name) []:SRSI
Email Address []:
After this, the certificate will be produced.
Verify the generated digital certificate
We can check the generated (self-signed) digital certificate by viewing the X.509 structure.
Let's now start operating the CA as if it were a real CA. One of the important steps is that when someone tries to request a certificate from a CA they need to create a Certificate Signing Request (CSR). So we are going to create that.
In this specific case we chose not to protect the private key with a password (-nodes), which is not recommended in a production environment. On the other hand, the request will be made for one year (365 days).
Generating a 1024 bit RSA private key
....++++++
...................++++++
writing new private key to './private/server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:PT
State or Province Name (full name) [Some-State]:Lisboa
Locality Name (eg, city) []:Lisboa
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ISCTE-IUL
Organizational Unit Name (eg, section) []:ISTA
Common Name (e.g. server FQDN or YOUR name) []:SRSI
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
We can verify the request using the following command:
Before issuing the certificate (signing it with its own private key), a CA must check the contents of the CSR.
Issuance of the digital certificate
This step is important because it is performed by a CA to issue a digital certificate to an entity that requests it. To generate this digital certificate, the previously generated CSR must be used.
openssl ca -config ./openssl.cnf -policy policy_anything -out certs/server.crt -infiles server.csr
This is the issuance process:
Using configuration from ./openssl.cnf
Enter pass phrase for ./private/ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 4 18:44:27 2015 GMT
Not After : Nov 3 18:44:27 2016 GMT
Subject:
countryName = PT
stateOrProvinceName = Lisboa
localityName = Lisboa
organizationName = ISCTE-IUL
organizationalUnitName = ISTA
commonName = SRSI
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
95:DD:D8:EF:E5:83:92:44:CD:67:3A:0F:C8:F0:8B:0F:23:D7:9D:C3
X509v3 Authority Key Identifier:
keyid:CC:A9:43:88:06:8F:D4:9D:35:40:96:D9:2B:76:86:D7:39:8B:1D:43
Certificate is to be certified until Nov 3 18:44:27 2016 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
To confirm that the certificate was issued correctly, we can view it using the command we saw earlier:
One of the functions of a CA is also to maintain information about the digital certificates it issues. Whenever a certificate, for whatever reason, is no longer valid, it must be revoked. One of the ways to revoke and communicate this revocation to "third parties" is through a Certificate Revocation List (CRL).
To revoke a certificate, using OpenSSl, we can do the following:
openssl ca -config ./openssl.cnf -revoke certs/server.crt
And the proper certificate gets revoked:
Using configuration from ./openssl.cnf
Enter pass phrase for ./private/ca.key:
Revoking Certificate 01.
Data Base Updated
The certificate is thus revoked and to switch to the CRL the following must be done:
openssl ca -config ./openssl.cnf -gencrl -out crl/ca.crl
To view the certificates that are part of the CRL, we can do the following:
openssl crl -in crl/ca.crl -noout -text
Look at the revocationlist of the CA:
Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=PT/ST=Lisboa/L=Lisboa/O=ISCTE-IUL/OU=ISTA/CN=SRSI
Last Update: Nov 4 18:56:19 2015 GMT
Next Update: Dec 4 18:56:19 2015 GMT
Revoked Certificates:
Serial Number: 01
Revocation Date: Nov 4 18:54:37 2015 GMT
Signature Algorithm: sha256WithRSAEncryption
84:a1:ec:46:ce:5a:7d:52:bb:bc:79:ad:de:b3:ff:5b:c2:d6:
4c:41:db:27:68:79:c4:e6:33:cb:17:2b:6b:25:f9:c5:c8:eb:
7c:1d:06:94:9f:44:b3:8f:0d:64:27:2a:08:5c:05:10:c9:3d:
40:e5:67:3b:70:ff:50:13:41:0e:fc:f0:da:7a:69:9d:c1:8c:
97:2b:7b:18:62:99:30:38:26:92:6e:7f:f3:de:b1:b4:14:91:
31:f9:57:7a:be:f4:18:d9:0c:30:dd:4d:d2:8e:23:d2:0e:33:
b7:69:9c:00:b8:4f:b7:3b:ba:35:c2:26:26:e6:fc:61:83:56:
d8:1e
This also contains detailed instructions on how to create your own private CA.