Created
September 17, 2017 17:45
-
-
Save corford/9a206664bb8278c8243821d236665d94 to your computer and use it in GitHub Desktop.
Creating a Root CA, intermediate Sub-CA and end entity cert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This gist gives you the commands and config necessary to quickly and safely: | |
- Create a Root Certififacte Authority (valid until the year ~2045 and whose key is meant to be stored somewhere secure and hard to get at e.g. on USB key in an off-prem vault) | |
- Create an intermediate sub-root certificate authority (which is used for day to day signing of end-entity certs) | |
- Create an end-entity cert (e.g. for securing nginx/apache) | |
For more background, see: https://developers.yubico.com/PIV/Guides/Certificate_authority.html | |
[ Creating a root CA ] | |
# mkdir /opt/company_CA && cd /opt/company_CA | |
# openssl genrsa -aes256 -out private/root_ca.key.pem 3744 | |
# cat>root_ca.crt.conf<<EOF | |
[ req ] | |
x509_extensions = v3_ca | |
distinguished_name = req_distinguished_name | |
prompt = no | |
[ req_distinguished_name ] | |
CN=Company Internal Root-CA | |
[ v3_ca ] | |
subjectKeyIdentifier=hash | |
basicConstraints=critical,CA:true,pathlen:1 | |
keyUsage=critical,keyCertSign,cRLSign | |
EOF | |
# datefudge "2017-01-01 UTC" openssl req -new -sha256 -x509 -set_serial 1 -days 10000 -config root_ca.crt.conf -key private/root_ca.key.pem -out root_ca.crt.pem | |
[ Creating an intermediate CA ] | |
# cd /opt/company_CA | |
# openssl genrsa -aes256 -out private/sub_ca1.key.pem 3744 | |
# cat>sub_ca1.csr.conf<<EOF | |
[ req ] | |
distinguished_name = req_distinguished_name | |
prompt = no | |
[ req_distinguished_name ] | |
CN=Internal Sub-CA (1) | |
EOF | |
# openssl req -sha256 -new -config sub_ca1.csr.conf -key private/sub_ca1.key.pem -nodes -out sub_ca1.csr.pem | |
# cat>sub_ca1.crt.conf<<EOF | |
subjectKeyIdentifier=hash | |
basicConstraints = critical,CA:true,pathlen:0 | |
keyUsage=critical,keyCertSign | |
EOF | |
# openssl x509 -sha256 -CA root_ca.crt.pem -CAkey private/root_ca.key.pem -CAserial root_ca.srl -CAcreateserial -days 3700 -req -in sub_ca1.csr.pem -extfile sub_ca1.crt.conf -out sub_ca1.crt.pem | |
# cat>sub_ca1.ca.conf<<EOF | |
dir = . | |
[ ca ] | |
default_ca = CA_default | |
[ CA_default ] | |
serial = $dir/sub_ca1.srl | |
database = $dir/sub_ca1.db | |
new_certs_dir = $dir/newcerts/sub_ca1 | |
policy = policy_match | |
x509_extensions = v3_ca | |
[ v3_ca ] | |
[ policy_match ] | |
commonName = supplied | |
EOF | |
# touch sub_ca1.db | |
# echo 01 > sub_ca1.srl | |
[ Creating and signing a normal end-entity certificate ] | |
# cd /opt/company_CA | |
# mkdir -p ready_for_use/domain.dom/subdomain | |
# openssl genrsa -out ready_for_use/domain.dom/subdomain/key.pem 3744 | |
# cat>ready_for_use/domain.dom/subdomain/csr.conf<<EOF | |
[ req ] | |
distinguished_name = req_distinguished_name | |
prompt = no | |
[ req_distinguished_name ] | |
CN=sub.domain.dom | |
EOF | |
# openssl req -sha256 -new -config ready_for_use/domain.dom/subdomain/csr.conf -key ready_for_use/domain.dom/subdomain/key.pem -nodes -out ready_for_use/domain.dom/subdomain/csr.pem | |
# cat>ready_for_use/domain.dom/subdomain/crt.conf<<EOF | |
basicConstraints = critical,CA:false | |
keyUsage=critical,digitalSignature,keyEncipherment,dataEncipherment,keyAgreement | |
extendedKeyUsage=critical,serverAuth,clientAuth,emailProtection | |
subjectAltName=critical,DNS:sub.domain.dom | |
EOF | |
# openssl ca -md sha256 -utf8 -noemailDN -notext -config sub_ca1.ca.conf -cert sub_ca1.crt.pem -keyfile private/sub_ca1.key.pem -enddate 20251201050000Z -extfile ready_for_use/domain.dom/subdomain/crt.conf -in ready_for_use/domain.dom/subdomain/csr.pem -out ready_for_use/domain.dom/subdomain/crt.pem | |
# cat ready_for_use/domain.dom/subdomain/crt.pem sub_ca1.crt.pem > ready_for_use/domain.dom/subdomain/chained.crt.pem | |
[ Installing the newly created root certificate authority on Debian/Ubuntu ] | |
# mkdir /usr/share/ca-certificates/company | |
# [ copy Root CA cert to /usr/share/ca-certificates/company NOTE: file must be in PEM format and end in .crt ] | |
# dpkg-reconfigure ca-certificates | |
# openssl verify -CApath /path/to/root_ca /path/to/end-entity-certificate.pem | |
[ Convert certificate from PEM to DER format ] | |
# openssl x509 -in root_ca.crt.pem -outform der -out ready_for_use/root_ca/root_ca.crt.der |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment