crypto:x509
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision | ||
crypto:x509 [2020-05-19 19:57] – rewriting intro gabriel | crypto:x509 [2020-05-23 13:57] – updating gabriel | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Creating an intermediate and root certificate authority with OpenSSL ====== | ====== Creating an intermediate and root certificate authority with OpenSSL ====== | ||
- | Generally speaking, [https:// | + | Generally speaking, |
- | This page is a brief overview of how to configure a self-signed CA that implements an intermediate CA in order to allow us to take the root CA offline. | + | Let's Encrypt |
- | ===== mkca.sh helper script ===== | + | I'm in the process of deprecating this page and moving the actual configuration to a GitLab project rather than static notes. |
- | Stick this somewhere to help set up the directory structures for the two CAs you are about to create. | + | The GitLab project can be found here: [[https:// |
- | <code bash> | + | ===== Local usage notes ===== |
- | #!/bin/bash | + | |
- | workdir=${1} | + | Work in progress. |
- | mkdir -p ${workdir}/ | + | |
- | chmod 700 ${workdir}/ | + | |
- | touch ${workdir}/ | + | |
- | echo 1000 > ${workdir}/ | + | |
- | </ | + | |
- | ===== Root CA configuration ===== | ||
- | |||
- | We'll set some environment variables for the root CA in order to simplify changing the name. | ||
- | |||
- | <code bash> | ||
- | export CA=quayrootCA | ||
- | export workdir=${CA} | ||
- | export OPENSSL_CONF=${workdir}/ | ||
- | export privkey=${workdir}/ | ||
- | export cacert=${workdir}/ | ||
- | |||
- | mkca.sh $CA | ||
- | </ | ||
- | |||
- | ==== Root CA OpenSSL configuration file ==== | ||
- | |||
- | Place this file in '' | ||
- | |||
- | < | ||
- | RANDFILE = / | ||
- | |||
- | [ ca ] | ||
- | default_ca = quayrootCA | ||
- | |||
- | [ crl_ext ] | ||
- | # issuerAltName=issuer: | ||
- | issuerAltName = URI: | ||
- | authorityKeyIdentifier = keyid: | ||
- | |||
- | [ quayrootCA ] | ||
- | new_certs_dir = / | ||
- | unique_subject = no | ||
- | certificate = / | ||
- | database = / | ||
- | private_key = / | ||
- | serial = / | ||
- | default_days = 1096 | ||
- | default_md = sha256 | ||
- | policy = quayrootCA_policy | ||
- | x509_extensions = quayrootCA_extensions | ||
- | |||
- | [ quayrootCA_policy ] | ||
- | commonName = supplied | ||
- | stateOrProvinceName = supplied | ||
- | countryName = supplied | ||
- | emailAddress = optional | ||
- | organizationName = supplied | ||
- | organizationalUnitName = optional | ||
- | |||
- | [ quayrootCA_extensions ] | ||
- | basicConstraints = CA:false | ||
- | subjectKeyIdentifier = hash | ||
- | authorityKeyIdentifier = keyid: | ||
- | keyUsage = digitalSignature, | ||
- | extendedKeyUsage = serverAuth | ||
- | crlDistributionPoints = URI: | ||
- | |||
- | [ v3_ca ] | ||
- | subjectKeyIdentifier=hash | ||
- | authorityKeyIdentifier=keyid: | ||
- | basicConstraints = CA:true | ||
- | keyUsage = cRLSign, keyCertSign | ||
- | |||
- | [ req ] | ||
- | default_bits = 2048 | ||
- | default_keyfile = privkey.pem | ||
- | distinguished_name = req_distinguished_name | ||
- | attributes = req_attributes | ||
- | |||
- | [ req_distinguished_name ] | ||
- | countryName = Country Name (2 letter code) | ||
- | countryName_default = CA | ||
- | countryName_min = 2 | ||
- | countryName_max = 2 | ||
- | |||
- | stateOrProvinceName = State or Province Name (full name) | ||
- | stateOrProvinceName_default = Ontario | ||
- | |||
- | localityName = Locality Name (eg, city) | ||
- | localityName_default = Toronto | ||
- | |||
- | 0.organizationName = Organization Name (eg, company) | ||
- | 0.organizationName_default = The Quay | ||
- | |||
- | organizationalUnitName = Organizational Unit Name (eg, section) | ||
- | |||
- | commonName = Common Name (eg, fully qualified host name) | ||
- | commonName_max = 64 | ||
- | |||
- | emailAddress = Email Address | ||
- | emailAddress_default = gabriel@quay.net | ||
- | emailAddress_max = 64 | ||
- | |||
- | [ req_attributes ] | ||
- | # | ||
- | # | ||
- | # | ||
- | </ | ||
- | |||
- | ==== Generate root CA ==== | ||
- | |||
- | <code bash> | ||
- | # generate a key for the CA (you can strip the password by omitting -aes256) | ||
- | openssl genrsa -aes256 -out $privkey 4096 | ||
- | chmod 600 $privkey | ||
- | |||
- | # generate the CA root certificate (you can tweak the keysize and validity duration as you see fit) | ||
- | openssl req -newkey rsa:4096 -x509 \ | ||
- | -days 3650 \ | ||
- | -key $privkey \ | ||
- | -sha256 \ | ||
- | -extensions v3_ca \ | ||
- | -out $cacert | ||
- | </ | ||
- | |||
- | ===== Intermediate CA configuration ===== | ||
- | |||
- | We're going to craete an intermediate CA (this allows us to keep the root CA offline, just in case). | ||
- | |||
- | Set the environment for the Intermediate CA. | ||
- | |||
- | <code bash> | ||
- | export CA=quayintCA | ||
- | export workdir=~/ | ||
- | export OPENSSL_CONF=${workdir}/ | ||
- | export privkey=${workdir}/ | ||
- | export cacert=${workdir}/ | ||
- | </ | ||
- | |||
- | ==== Intermediate CA OpenSSL configuration file ==== | ||
- | |||
- | Place this file in '' | ||
- | |||
- | < | ||
- | RANDFILE = / | ||
- | |||
- | [ ca ] | ||
- | default_ca = quayintCA | ||
- | |||
- | [ crl_ext ] | ||
- | # issuerAltName=issuer: | ||
- | issuerAltName = URI: | ||
- | authorityKeyIdentifier = keyid: | ||
- | |||
- | [ quayintCA ] | ||
- | new_certs_dir = / | ||
- | unique_subject = no | ||
- | certificate = / | ||
- | database = / | ||
- | private_key = / | ||
- | serial = / | ||
- | default_days = 1096 | ||
- | default_md = sha256 | ||
- | policy = quayintCA_policy | ||
- | x509_extensions = quayintCA_extensions | ||
- | |||
- | [ quayintCA_policy ] | ||
- | commonName = supplied | ||
- | stateOrProvinceName = supplied | ||
- | countryName = supplied | ||
- | emailAddress = optional | ||
- | organizationName = supplied | ||
- | organizationalUnitName = optional | ||
- | |||
- | [ quayintCA_extensions ] | ||
- | basicConstraints = CA:false | ||
- | subjectKeyIdentifier = hash | ||
- | authorityKeyIdentifier = keyid: | ||
- | keyUsage = digitalSignature, | ||
- | extendedKeyUsage = serverAuth | ||
- | crlDistributionPoints = URI: | ||
- | |||
- | [ v3_ca ] | ||
- | subjectKeyIdentifier=hash | ||
- | authorityKeyIdentifier=keyid: | ||
- | basicConstraints = CA:true | ||
- | keyUsage = cRLSign, keyCertSign | ||
- | |||
- | [ req ] | ||
- | default_bits = 2048 | ||
- | default_keyfile = privkey.pem | ||
- | distinguished_name = req_distinguished_name | ||
- | attributes = req_attributes | ||
- | |||
- | [ req_distinguished_name ] | ||
- | countryName = Country Name (2 letter code) | ||
- | countryName_default = CA | ||
- | countryName_min = 2 | ||
- | countryName_max = 2 | ||
- | |||
- | stateOrProvinceName = State or Province Name (full name) | ||
- | stateOrProvinceName_default = Ontario | ||
- | |||
- | localityName = Locality Name (eg, city) | ||
- | localityName_default = Toronto | ||
- | |||
- | 0.organizationName = Organization Name (eg, company) | ||
- | 0.organizationName_default = The Quay | ||
- | |||
- | organizationalUnitName = Organizational Unit Name (eg, section) | ||
- | |||
- | commonName = Common Name (eg, fully qualified host name) | ||
- | commonName_max = 64 | ||
- | |||
- | emailAddress = Email Address | ||
- | emailAddress_default = gabriel@quay.net | ||
- | emailAddress_max = 64 | ||
- | |||
- | [ req_attributes ] | ||
- | # | ||
- | # | ||
- | # | ||
- | </ | ||
- | |||
- | ==== Generate a private key for the Intermediate CA ==== | ||
- | |||
- | <code bash> | ||
- | openssl genrsa -aes256 -out $privkey 4096 | ||
- | chmod 600 $privkey | ||
- | </ | ||
- | |||
- | ==== Generate the intermediate CA certificate signing request ==== | ||
- | |||
- | <code bash> | ||
- | openssl req -config $OPENSSL_CONF -sha256 -new -key $privkey -out $workdir/ | ||
- | </ | ||
- | |||
- | ==== Sign the intermediate CA ==== | ||
- | |||
- | We need to switch our environment back to use the root CA. | ||
- | |||
- | <code bash> | ||
- | export CA=quayrootCA | ||
- | export workdir=${CA} | ||
- | export OPENSSL_CONF=${workdir}/ | ||
- | export privkey=${workdir}/ | ||
- | export cacert=${workdir}/ | ||
- | |||
- | openssl ca -keyfile $privkey \ | ||
- | -cert $cacert \ | ||
- | -extensions v3_ca \ | ||
- | -notext -md sha256 \ | ||
- | -in ${workdir}/ | ||
- | -out ~/ | ||
- | -days 4018 | ||
- | |||
- | </ | ||
- | |||
- | ==== Create the intermediate CA certificate chain ==== | ||
- | |||
- | We'll need a certificate chain to use with web browsers. | ||
- | |||
- | <code bash> | ||
- | cat ~/ | ||
- | ~/ | ||
- | ~/ | ||
- | </ | ||
- | |||
- | ===== Creating server certificates ===== | ||
- | |||
- | <code bash> | ||
- | export CA=quayintCA | ||
- | export workdir=${CA} | ||
- | export OPENSSL_CONF=${workdir}/ | ||
- | export privkey=${workdir}/ | ||
- | export cacert=${workdir}/ | ||
- | |||
- | # create a certificate request and private key for my router | ||
- | export certname=router.in.quay.net | ||
- | openssl req -newkey rsa:2048 -nodes -out ${certname}.csr -keyout ${certname}.key | ||
- | |||
- | # now sign the certificate request | ||
- | openssl ca -keyfile $privkey \ | ||
- | -cert $cacert \ | ||
- | -notext -md sha256 \ | ||
- | -in ${certname}.csr -out ${certname}.crt | ||
- | </ | ||
- | |||
- | ===== OpenSSL tips ===== | ||
- | |||
- | Decode an x509 certificate file to plain text: | ||
- | |||
- | <code bash> | ||
- | openssl x509 -in certifcate_file.crt -text | ||
- | </ | ||
- | |||
- | Verify a certificate is signed by a CA: | ||
- | |||
- | <code bash> | ||
- | # verify intermediate certificate | ||
- | openssl verify -CAfile ~/ | ||
- | |||
- | # verify server cert using cert chain | ||
- | openssl verify -CAfile ~/ | ||
- | </ | ||
===== Notes ===== | ===== Notes ===== | ||
- | I publish the CA root certificate here in the off chance | + | I publish the CA certificates and CRLs in the unlikely event that somebody outside my network might require |
- | Here is the CRL: https:// | + | * **CA root:** https:// |
+ | * **Root CRL:** https:// | ||
+ | * **Intermediate signing certificate: | ||
+ | * **Intermediate |
crypto/x509.txt · Last modified: 2020-05-27 16:56 by gabriel