Differences

This shows you the differences between two versions of the page.

--- crypto:x509 [2020-05-19 21:41] – [Notes] updating links gabriel
+++ crypto:x509 [2020-05-27 16:56] (current) – reformatting page, tutorial is now on GitLab gabriel
@@ Line 1: / Line 1: @@
-====== Creating an intermediate and root certificate authority with OpenSSL ======
+====== The Quay Certificate Authority ======
-Generally speaking, [[https://letsencrypt.org/|Let's Encrypt]] is a better solution than using a self-hosted certificate authority in 2020.  For most users this is what I recommend.
+The current versions of certificates and CRLs can be found here:
-Let's Encrypt is stable, easy to configure, and trusted in all major browsers, however its primary drawback is that it can be very awkward to use with domains that are not on the public Internet.  Therefore, I run a certificate authority to sign x509 certificates for use internally as [[http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security|HSTS]] is implemented for the quay.net domain.  This upshot of this configuration on the public domain is that in order to access HTTP resources on my internal subdomain I require trusted TLS certificates.
+  * **CA root:** https://quay.net/pub/ca/root-q2.crt
+    * **Root CRL:** https://quay.net/pub/ca/root-q2.crl
-This page is a brief overview of how to configure a self-signed CA that implements an intermediate CA in order to allow us to take the root CA offline.
+  * **Intermediate signing certificate:** https://quay.net/pub/ca/sign-s2.crt
+    * **Intermediate CRL:** https://quay.net/pub/ca/sign-q2.crl
-===== mkca.sh helper script =====
+===== General comments =====
-Stick this somewhere to help set up the directory structures for the two CAs you are about to create.
+Generally speaking, [[https://letsencrypt.org/|Let's Encrypt]] is a better solution than using a self-hosted certificate authority in 2020.  For most users this is what I recommend.
-<code bash>
+Let's Encrypt is stable, easy to configure, and trusted in all major browsers, however its primary drawback is that it can be very awkward to use with domains that are not on the public Internet.  Therefore, I run a certificate authority to sign x509 certificates for use internally as [[http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security|HSTS]] is implemented for the quay.net domain.  This upshot of this configuration on the public domain is that in order to access HTTP resources on my internal subdomain I require trusted TLS certificates.
-#!/bin/bash
-workdir=${1}
-mkdir -p ${workdir}/{certs,crl,csr,newcerts,private}
-chmod 700 ${workdir}/private
-touch ${workdir}/certindex
-echo 1000 > ${workdir}/serialfile
-</code>
-===== Root CA configuration =====
-We'll set some environment variables for the root CA in order to simplify changing the name.
-<code bash>
-export CA=quayCA
-export workdir=${CA}
-export OPENSSL_CONF=${workdir}/${CA}.conf
-export privkey=${workdir}/private/privkey.pem
-export cacert=${workdir}/certs/${CA}.crt
-mkca.sh $CA
-</code>
-==== Root CA OpenSSL configuration file  ====
-Place this file in ''$OPENSSL_CONF'' location you set above, this will govern OpenSSL usage for the root CA and can be customized as you see fit.  The settings here are relatively sane.
-<code>
-RANDFILE = /dev/urandom
-[ ca ]
-default_ca = quayCA
-[ crl_ext ]
-# issuerAltName=issuer:copy  #this would copy the issuer name to altname
-issuerAltName = URI:https://quay.net/pub/ca/quay.crt
-authorityKeyIdentifier = keyid:always,issuer
-[ quayCA ]
-new_certs_dir = /home/gabriel/git/quayCA/quayCA/certs
-unique_subject = no
-certificate = /home/gabriel/git/quayCA/quayCA/certs/quayCA.crt
-database = /home/gabriel/git/quayCA/quayCA/certindex
-private_key = /home/gabriel/git/quayCA/quayCA/private/privkey.pem
-serial = /home/gabriel/git/quayCA/quayCA/serialfile
-default_days = 1096
-default_md = sha256
-policy = quayCA_policy
-x509_extensions = quayCA_extensions
-[ quayCA_policy ]
-commonName = supplied
-stateOrProvinceName = supplied
-countryName = supplied
-emailAddress = optional
-organizationName = supplied
-organizationalUnitName = optional
-[ quayCA_extensions ]
-basicConstraints = CA:false
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always,issuer
-keyUsage = digitalSignature,keyEncipherment
-extendedKeyUsage = serverAuth
-crlDistributionPoints = URI:https://quay.net/pub/ca/quay.crl
-[ v3_ca ]
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer
-basicConstraints = CA:true
-keyUsage = cRLSign, keyCertSign
-[ req ]
-default_bits = 2048
-default_keyfile = privkey.pem
-distinguished_name = req_distinguished_name
-attributes = req_attributes
-[ req_distinguished_name ]
-countryName = Country Name (2 letter code)
-countryName_default = CA
-countryName_min = 2
-countryName_max = 2
-stateOrProvinceName = State or Province Name (full name)
-stateOrProvinceName_default = Ontario
-localityName = Locality Name (eg, city)
-localityName_default = Toronto
-.organizationName = Organization Name (eg, company)
-.organizationName_default = The Quay
-organizationalUnitName = Organizational Unit Name (eg, section)
-commonName = Common Name (eg, fully qualified host name)
-commonName_max = 64
-emailAddress = Email Address
-emailAddress_default = gabriel@quay.net
-emailAddress_max = 64
-[ req_attributes ]
-#challengePassword = A challenge password
-#challengePassword_min = 0
-#challengePassword_max = 20
-</code>
-==== Generate root CA ====
-<code bash>
-# generate a key for the CA (you can strip the password by omitting -aes256)
-openssl genrsa -aes256 -out $privkey 4096
-chmod 600 $privkey
-# generate the CA root certificate (you can tweak the keysize and validity duration as you see fit)
-openssl req -newkey rsa:4096 -x509 \
-  -days 3650 \
-  -key $privkey \
-  -sha256 \
-  -extensions v3_ca \
-  -out $cacert
-</code>
-===== Intermediate CA configuration =====
-We're going to craete an intermediate CA (this allows us to keep the root CA offline, just in case).
-Set the environment for the Intermediate CA.
-<code bash>
-export CA=quayCA-s1
-export workdir=~/${CA}
-export OPENSSL_CONF=${workdir}/${CA}.conf
-export privkey=${workdir}/private/privkey.pem
-export cacert=${workdir}/certs/${CA}.crt
-</code>
-==== Intermediate CA OpenSSL configuration file  ====
-Place this file in ''$OPENSSL_CONF'' location you set in the previous section, this will govern OpenSSL usage for the intermediate CA and can be customized as you see fit.  The settings here are relatively sane.  //These will be the settings you use normally to manage server certificates.//
-<code>
-RANDFILE = /dev/urandom
-[ ca ]
-default_ca = quayCA-s1
-[ crl_ext ]
-# issuerAltName=issuer:copy  #this would copy the issuer name to altname
-issuerAltName = URI:https://quay.net/pub/ca/quay-s1.crt
-authorityKeyIdentifier = keyid:always,issuer
-[ quayCA-s1 ]
-new_certs_dir = /home/gabriel/git/quayCA/quayCA-s1/certs
-unique_subject = no
-certificate = /home/gabriel/git/quayCA/quayCA-s1/certs/quayCA-s1.crt
-database = /home/gabriel/git/quayCA/quayCA-s1/certindex
-private_key = /home/gabriel/git/quayCA/quayCA-s1/private/privkey.pem
-serial = /home/gabriel/git/quayCA/quayCA-s1/serialfile
-default_days = 1096
-default_md = sha256
-policy = quayCA-s1_policy
-x509_extensions = quayCA-s1_extensions
-[ quayCA-s1_policy ]
-commonName = supplied
-stateOrProvinceName = supplied
-countryName = supplied
-emailAddress = optional
-organizationName = supplied
-organizationalUnitName = optional
-[ quayCA-s1_extensions ]
-basicConstraints = CA:false
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always,issuer
-keyUsage = digitalSignature,keyEncipherment
-extendedKeyUsage = serverAuth
-crlDistributionPoints = URI:https://quay.net/pub/ca/quay-s1.crl
-[ v3_ca ]
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer
-basicConstraints = CA:true
-keyUsage = cRLSign, keyCertSign
-[ req ]
-default_bits = 2048
-default_keyfile = privkey.pem
-distinguished_name = req_distinguished_name
-attributes = req_attributes
-[ req_distinguished_name ]
-countryName = Country Name (2 letter code)
-countryName_default = CA
-countryName_min = 2
-countryName_max = 2
-stateOrProvinceName = State or Province Name (full name)
-stateOrProvinceName_default = Ontario
-localityName = Locality Name (eg, city)
-localityName_default = Toronto
-.organizationName = Organization Name (eg, company)
-.organizationName_default = The Quay
-organizationalUnitName = Organizational Unit Name (eg, section)
-commonName = Common Name (eg, fully qualified host name)
-commonName_max = 64
-emailAddress = Email Address
-emailAddress_default = gabriel@quay.net
-emailAddress_max = 64
-[ req_attributes ]
-#challengePassword = A challenge password
-#challengePassword_min = 0
-#challengePassword_max = 20
-</code>
-==== Generate a private key for the Intermediate CA ====
-<code bash>
-openssl genrsa -aes256 -out $privkey 4096
-chmod 600 $privkey
-</code>
-==== Generate the intermediate CA certificate signing request ====
-<code bash>
-openssl req -config $OPENSSL_CONF -sha256 -new -key $privkey -out $workdir/csr/$CA.csr
-</code>
-==== Sign the intermediate CA ====
-We need to switch our environment back to use the root CA.
-<code bash>
-export CA=quayCA
-export workdir=${CA}
-export OPENSSL_CONF=${workdir}/${CA}.conf
-export privkey=${workdir}/private/privkey.pem
-export cacert=${workdir}/certs/${CA}.crt
-openssl ca -keyfile $privkey \
-  -cert $cacert \
-  -extensions v3_ca \
-  -notext -md sha256 \
-  -in ${workdir}/csr/quayCA-s1.csr \
-  -out ~/quayintCA/certs/quayCA-s1.crt \
-  -days 4018
-</code>
-==== Create the intermediate CA certificate chain ====
-We'll need a certificate chain to use with web browsers.
-<code bash>
-cat ~/quayCA-s1/certs/quayCA-s1.crt \
-  ~/quayCA/certs/quayCA.crt > \
-  ~/quayCA/certs/quaycerts.crt
-</code>
-===== Creating server certificates =====
-<code bash>
-export CA=quayCA-s1
-export workdir=${CA}
-export OPENSSL_CONF=${workdir}/${CA}.conf
-export privkey=${workdir}/private/privkey.pem
-export cacert=${workdir}/certs/${CA}.crt
-# create a certificate request and private key for my router
-export certname=router.in.quay.net
-openssl req -newkey rsa:2048 -nodes -out ${certname}.csr -keyout ${certname}.key
-# now sign the certificate request
-openssl ca -keyfile $privkey \
-    -cert $cacert \
-    -notext -md sha256 \
-    -in ${certname}.csr -out ${certname}.crt
-</code>
-===== OpenSSL tips =====
-Decode an x509 certificate file to plain text:
-<code bash>
-openssl x509 -in certifcate_file.crt -text
-</code>
-Verify a certificate is signed by a CA:
-<code bash>
+I'm in the process of deprecating this page and moving the actual configuration to a GitLab project rather than static notes.  In the future this page will only contain specific information related to my local usage.
-# verify intermediate certificate
-openssl verify -CAfile ~/quayCA/quayCA.crt ~/quayCA-s1/quayCA-s1.crt
-# verify server cert using cert chain
+The GitLab project can be found here: [[https://gitlab.com/gmobrien/quayCA|The Quay X.509 Certificate Authority]]
-openssl verify -CAfile ~/quayCA-s1/quaycerts.crt router.in.quay.net.crt
-</code>
-===== Notes =====
+===== Local usage notes =====
-I publish the CA certificates here in the off chance that somebody outside my network might require it:
+Work in progress.
-  * CA root: https://quay.net/pub/ca/quay.crt
-  * Intermediate signing certificate: https://quay.net/pub/ca/quay-s1.crt
-  * Certificate chain: https://quay.net/pub/ca/quaycerts.crt
-  * CRL: https://quay.net/pub/ca/quay.crl