crypto:x509
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
crypto:x509 [2019-02-25 13:42] – [Sign the intermediate CA] gabriel | crypto:x509 [2020-05-23 13:56] – formatting gabriel | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Creating an intermediate and root certificate authority with OpenSSL ====== | ====== Creating an intermediate and root certificate authority with OpenSSL ====== | ||
+ | Generally speaking, [[https:// | ||
- | I run a small certificate authority to sign x509 certificates for use internally | + | Let's Encrypt is stable, easy to configure, and trusted in all major browsers, however its primary drawback is that it can be very awkward to use with domains that are not on the public Internet. |
- | This upshot | + | I'm in the process |
- | This page is a brief overview of how to configure a self-signed CA that implements an intermediate CA in order to allow us to take the root CA offline. | + | The GitLab project can be found here: [[https:// |
- | ===== mkca.sh helper script | + | ===== Local usage notes ===== |
- | Stick this somewhere to help set up the directory structures for the two CAs you are about to create. | + | Work in progress. |
- | <code bash> | ||
- | #!/bin/bash | ||
- | |||
- | workdir=${1} | ||
- | mkdir -p ${workdir}/ | ||
- | chmod 700 ${workdir}/ | ||
- | touch ${workdir}/ | ||
- | echo 1000 > ${workdir}/ | ||
- | </ | ||
- | |||
- | ===== Root CA configuration ===== | ||
- | |||
- | We'll set some environment variables for the root CA in order to simplify changing the name. | ||
- | |||
- | <code bash> | ||
- | export CA=quayrootCA | ||
- | export workdir=${CA} | ||
- | export OPENSSL_CONF=${workdir}/ | ||
- | export privkey=${workdir}/ | ||
- | export cacert=${workdir}/ | ||
- | |||
- | mkca.sh $CA | ||
- | </ | ||
- | |||
- | ==== Root CA OpenSSL configuration file ==== | ||
- | |||
- | Place this file in '' | ||
- | |||
- | < | ||
- | RANDFILE = / | ||
- | |||
- | [ ca ] | ||
- | default_ca = quayrootCA | ||
- | |||
- | [ crl_ext ] | ||
- | # issuerAltName=issuer: | ||
- | issuerAltName = URI: | ||
- | authorityKeyIdentifier = keyid: | ||
- | |||
- | [ quayrootCA ] | ||
- | new_certs_dir = / | ||
- | unique_subject = no | ||
- | certificate = / | ||
- | database = / | ||
- | private_key = / | ||
- | serial = / | ||
- | default_days = 1096 | ||
- | default_md = sha256 | ||
- | policy = quayrootCA_policy | ||
- | x509_extensions = quayrootCA_extensions | ||
- | |||
- | [ quayrootCA_policy ] | ||
- | commonName = supplied | ||
- | stateOrProvinceName = supplied | ||
- | countryName = supplied | ||
- | emailAddress = optional | ||
- | organizationName = supplied | ||
- | organizationalUnitName = optional | ||
- | |||
- | [ quayrootCA_extensions ] | ||
- | basicConstraints = CA:false | ||
- | subjectKeyIdentifier = hash | ||
- | authorityKeyIdentifier = keyid: | ||
- | keyUsage = digitalSignature, | ||
- | extendedKeyUsage = serverAuth | ||
- | crlDistributionPoints = URI: | ||
- | |||
- | [ v3_ca ] | ||
- | subjectKeyIdentifier=hash | ||
- | authorityKeyIdentifier=keyid: | ||
- | basicConstraints = CA:true | ||
- | keyUsage = cRLSign, keyCertSign | ||
- | |||
- | [ req ] | ||
- | default_bits = 2048 | ||
- | default_keyfile = privkey.pem | ||
- | distinguished_name = req_distinguished_name | ||
- | attributes = req_attributes | ||
- | |||
- | [ req_distinguished_name ] | ||
- | countryName = Country Name (2 letter code) | ||
- | countryName_default = CA | ||
- | countryName_min = 2 | ||
- | countryName_max = 2 | ||
- | |||
- | stateOrProvinceName = State or Province Name (full name) | ||
- | stateOrProvinceName_default = Ontario | ||
- | |||
- | localityName = Locality Name (eg, city) | ||
- | localityName_default = Toronto | ||
- | |||
- | 0.organizationName = Organization Name (eg, company) | ||
- | 0.organizationName_default = The Quay | ||
- | |||
- | organizationalUnitName = Organizational Unit Name (eg, section) | ||
- | |||
- | commonName = Common Name (eg, fully qualified host name) | ||
- | commonName_max = 64 | ||
- | |||
- | emailAddress = Email Address | ||
- | emailAddress_default = gabriel@quay.net | ||
- | emailAddress_max = 64 | ||
- | |||
- | [ req_attributes ] | ||
- | # | ||
- | # | ||
- | # | ||
- | </ | ||
- | |||
- | ==== Generate root CA ==== | ||
- | |||
- | <code bash> | ||
- | # generate a key for the CA (you can strip the password by omitting -aes256) | ||
- | openssl genrsa -aes256 -out $privkey 4096 | ||
- | chmod 600 $privkey | ||
- | |||
- | # generate the CA root certificate (you can tweak the keysize and validity duration as you see fit) | ||
- | openssl req -newkey rsa:4096 -x509 \ | ||
- | -days 3650 \ | ||
- | -key $privkey \ | ||
- | -sha256 \ | ||
- | -extensions v3_ca \ | ||
- | -out $cacert | ||
- | </ | ||
- | |||
- | ===== Intermediate CA configuration ===== | ||
- | |||
- | We're going to craete an intermediate CA (this allows us to keep the root CA offline, just in case). | ||
- | |||
- | Set the environment for the Intermediate CA. | ||
- | |||
- | <code bash> | ||
- | export CA=quayintCA | ||
- | export workdir=~/ | ||
- | export OPENSSL_CONF=${workdir}/ | ||
- | export privkey=${workdir}/ | ||
- | export cacert=${workdir}/ | ||
- | </ | ||
- | |||
- | ==== Intermediate CA OpenSSL configuration file ==== | ||
- | |||
- | Place this file in '' | ||
- | |||
- | < | ||
- | RANDFILE = / | ||
- | |||
- | [ ca ] | ||
- | default_ca = quayintCA | ||
- | |||
- | [ crl_ext ] | ||
- | # issuerAltName=issuer: | ||
- | issuerAltName = URI: | ||
- | authorityKeyIdentifier = keyid: | ||
- | |||
- | [ quayintCA ] | ||
- | new_certs_dir = / | ||
- | unique_subject = no | ||
- | certificate = / | ||
- | database = / | ||
- | private_key = / | ||
- | serial = / | ||
- | default_days = 1096 | ||
- | default_md = sha256 | ||
- | policy = quayintCA_policy | ||
- | x509_extensions = quayintCA_extensions | ||
- | |||
- | [ quayintCA_policy ] | ||
- | commonName = supplied | ||
- | stateOrProvinceName = supplied | ||
- | countryName = supplied | ||
- | emailAddress = optional | ||
- | organizationName = supplied | ||
- | organizationalUnitName = optional | ||
- | |||
- | [ quayintCA_extensions ] | ||
- | basicConstraints = CA:false | ||
- | subjectKeyIdentifier = hash | ||
- | authorityKeyIdentifier = keyid: | ||
- | keyUsage = digitalSignature, | ||
- | extendedKeyUsage = serverAuth | ||
- | crlDistributionPoints = URI: | ||
- | |||
- | [ v3_ca ] | ||
- | subjectKeyIdentifier=hash | ||
- | authorityKeyIdentifier=keyid: | ||
- | basicConstraints = CA:true | ||
- | keyUsage = cRLSign, keyCertSign | ||
- | |||
- | [ req ] | ||
- | default_bits = 2048 | ||
- | default_keyfile = privkey.pem | ||
- | distinguished_name = req_distinguished_name | ||
- | attributes = req_attributes | ||
- | |||
- | [ req_distinguished_name ] | ||
- | countryName = Country Name (2 letter code) | ||
- | countryName_default = CA | ||
- | countryName_min = 2 | ||
- | countryName_max = 2 | ||
- | |||
- | stateOrProvinceName = State or Province Name (full name) | ||
- | stateOrProvinceName_default = Ontario | ||
- | |||
- | localityName = Locality Name (eg, city) | ||
- | localityName_default = Toronto | ||
- | |||
- | 0.organizationName = Organization Name (eg, company) | ||
- | 0.organizationName_default = The Quay | ||
- | |||
- | organizationalUnitName = Organizational Unit Name (eg, section) | ||
- | |||
- | commonName = Common Name (eg, fully qualified host name) | ||
- | commonName_max = 64 | ||
- | |||
- | emailAddress = Email Address | ||
- | emailAddress_default = gabriel@quay.net | ||
- | emailAddress_max = 64 | ||
- | |||
- | [ req_attributes ] | ||
- | # | ||
- | # | ||
- | # | ||
- | </ | ||
- | |||
- | ==== Generate a private key for the Intermediate CA ==== | ||
- | |||
- | <code bash> | ||
- | openssl genrsa -aes256 -out $privkey 4096 | ||
- | chmod 600 $privkey | ||
- | </ | ||
- | |||
- | ==== Generate the intermediate CA certificate signing request ==== | ||
- | |||
- | <code bash> | ||
- | openssl req -config $OPENSSL_CONF -sha256 -new -key $privkey -out $workdir/ | ||
- | </ | ||
- | |||
- | ==== Sign the intermediate CA ==== | ||
- | |||
- | We need to switch our environment back to use the root CA. | ||
- | |||
- | <code bash> | ||
- | export CA=quayrootCA | ||
- | export workdir=${CA} | ||
- | export OPENSSL_CONF=${workdir}/ | ||
- | export privkey=${workdir}/ | ||
- | export cacert=${workdir}/ | ||
- | |||
- | openssl ca -keyfile $privkey \ | ||
- | -cert $cacert \ | ||
- | -extensions v3_ca \ | ||
- | -notext -md sha256 \ | ||
- | -in ${workdir}/ | ||
- | -out ~/ | ||
- | -days 4018 | ||
- | |||
- | </ | ||
- | |||
- | ==== Create the intermediate CA certificate chain ==== | ||
- | |||
- | We'll need a certificate chain to use with web browsers. | ||
- | |||
- | <code bash> | ||
- | cat ~/ | ||
- | ~/ | ||
- | ~/ | ||
- | </ | ||
- | |||
- | ===== Creating server certificates ===== | ||
- | |||
- | <code bash> | ||
- | export CA=quayintCA | ||
- | export workdir=~/ | ||
- | export OPENSSL_CONF=${workdir}/ | ||
- | export privkey=${workdir}/ | ||
- | export cacert=${workdir}/ | ||
- | |||
- | # create a certificate request and private key for my router | ||
- | export certname=router.in.quay.net | ||
- | openssl req -newkey rsa:2048 -nodes -out ${certname}.csr -keyout ${certname}.key | ||
- | |||
- | # now sign the certificate request | ||
- | openssl ca -keyfile $privkey \ | ||
- | -cert $cacert \ | ||
- | -notext -md sha256 \ | ||
- | -in ${certname}.csr -out ${certname}.crt | ||
- | </ | ||
- | |||
- | ===== OpenSSL tips ===== | ||
- | |||
- | Decode an x509 certificate file to plain text: | ||
- | |||
- | <code bash> | ||
- | openssl x509 -in certifcate_file.crt -text | ||
- | </ | ||
- | |||
- | Verify a certificate is signed by a CA: | ||
- | |||
- | <code bash> | ||
- | # verify intermediate certificate | ||
- | openssl verify -CAfile ~/ | ||
- | |||
- | # verify server cert using cert chain | ||
- | openssl verify -CAfile ~/ | ||
- | </ | ||
===== Notes ===== | ===== Notes ===== | ||
- | I publish the CA root certificate | + | I publish the CA certificates |
- | Here is the CRL: https:// | + | * **CA root:** https:// |
+ | * **Root CRL:** https:// | ||
+ | * **Intermediate signing certificate: | ||
+ | * **Intermediate |
crypto/x509.txt · Last modified: 2020-05-27 16:56 by gabriel