OpenSSL CA Authority

Below are the steps on setting up a openssl server for Root and Intermediate and Client Certs

Here is the link to view the Certificates used for this exercise

Prepare the directory

Prepare the directory

mkdir /root/ca

# cd /root/ca

# mkdir certs crl newcerts private

# chmod 700 private

# touch index.txt

# echo 1000 > serial

Create openssl.cnf files accordingly Root openssl.cnf   Intermediate openssl.cnf 

Create the root key

# cd /root/ca

# openssl genrsa -aes256 -out private/ca.key.pem 4096

Enter pass phrase for ca.key.pem: password

Verifying - Enter pass phrase for ca.key.pem: password

# chmod 400 private/ca.key.pem

Create the root certificate

# cd /root/ca

# openssl req -config openssl.cnf \

     -key private/ca.key.pem \

     -new -x509 -days 7300 -sha256 -extensions v3_ca \

     -out certs/ca.cert.pem

Enter pass phrase for ca.key.pem: password

You are about to be asked to enter information that will be incorporated

into your certificate request.

-----

Country Name (2 letter code) [XX]:IN

State or Province Name []:BLR

Locality Name []:

Organization Name []:Mumbai Ltd

Organizational Unit Name []:IT

Common Name []:Root CA

Email Address []:

# chmod 444 certs/ca.cert.pem

Verify the root certificate

openssl x509 -noout -text -in certs/ca.cert.pem

Create the intermediate pair

# mkdir /root/ca/intermediate

# cd /root/ca/intermediate

# mkdir certs crl csr newcerts private

# chmod 700 private

# touch index.txt

# echo 1000 > serial

echo 1000 > /root/ca/intermediate/crlnumber

Create the intermediate key

# cd /root/ca

# openssl genrsa -aes256 \

     -out intermediate/private/intermediate.key.pem 4096

Enter pass phrase for intermediate.key.pem: password

Verifying - Enter pass phrase for intermediate.key.pem: password

# chmod 400 intermediate/private/intermediate.key.pem

# cd /root/ca

# openssl req -config intermediate/openssl.cnf -new -sha256 \

     -key intermediate/private/intermediate.key.pem \

     -out intermediate/csr/intermediate.csr.pem

Enter pass phrase for intermediate.key.pem: password

You are about to be asked to enter information that will be incorporated

into your certificate request.

-----

Country Name (2 letter code) [XX]:IN

State or Province Name []:BLR

Locality Name []:

Organization Name []:Mumbai Ltd

Organizational Unit Name []:IT

Common Name []:Intermediate CA

Email Address []:

Verify the intermediate certificate

# openssl x509 -noout -text \

     -in intermediate/certs/intermediate.cert.pem

# openssl verify -CAfile certs/ca.cert.pem \

     intermediate/certs/intermediate.cert.pem

intermediate.cert.pem: OK

Create the certificate chain file

# cat intermediate/certs/intermediate.cert.pem \

     certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem

# chmod 444 intermediate/certs/ca-chain.cert.pem

Sign server and client certificates

Create a key

# cd /root/ca

# openssl genrsa -aes256 \

     -out intermediate/private/www.testing.com.key.pem 2048

# chmod 400 intermediate/private/www.testing.com.key.pem

Create a certificate

# cd /root/ca

# openssl req -config intermediate/openssl.cnf \

     -key intermediate/private/www.testing.com.key.pem \

     -new -sha256 -out intermediate/csr/www.testing.com.csr.pem

Enter pass phrase for www.testing.com.key.pem: password

You are about to be asked to enter information that will be incorporated

into your certificate request.

-----

Country Name (2 letter code) [XX]:IN

State or Province Name []:BLR

Locality Name []:

Organization Name []:Mumbai Ltd

Organizational Unit Name []:IT

Common Name []:www.testing.com

Email Address []:

Sign the certificate from the Intermediate CA 

# cd /root/ca

# openssl ca -config intermediate/openssl.cnf \

     -extensions server_cert -days 375 -notext -md sha256 \

     -in intermediate/csr/www.testing.com.csr.pem \

     -out intermediate/certs/www.testing.com.cert.pem

# chmod 444 intermediate/certs/www.testing.com.cert.pem

Verify the certificate

# openssl x509 -noout -text \

     -in intermediate/certs/www.testing.com.cert.pem

Use the CA certificate chain file to verify the newly created Server Certificate. 

# openssl verify -CAfile intermediate/certs/ca-chain.cert.pem \

     intermediate/certs/www.example.com.cert.pem

www.example.com.cert.pem: OK

Deploy the certificate

• ca-chain.cert.pem

• www.testing.com.key.pem

• www.testing.com.cert.pem

Client Certificate :

Create a key and signing request for each client 

openssl req -new -nodes -out client-req.pem -keyout private/client-key.pem -days 365 -config ./openssl.cnf

*on the common name you have to specify a different name

Sign each request 

openssl ca -out name-cert.pem -days 365 -config ./openssl.cnf -infiles client-req.pem

Create the PKCS12 file 

openssl pkcs12 -export -in name-cert.pem -inkey private/name-key.pem -certfile cacert.pem -name "[friendly name]" -out name-cert.p12