jadbaz/OpenSSL_command_line_Root_and_Intermediate_CA.md

## OpenSSL_command_line_Root_and_Intermediate_CA.md

      
    Raw
  

              OpenSSL_command_line_Root_and_Intermediate_CA.md
            
          
    OpenSSL command line Root and Intermediate CA

Creating root, intermediate and end-user certs

Prepare

Create a directory to contain everything
Root

Create directory

mkdir -p ./root
cd ./root
Create index files

touch certindex
echo 1000 > certserial
echo 1000 > crlnumber

Create configuration file

vi rootca.conf
[ ca ]
default_ca = myca

[ crl_ext ]
issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always

[ myca ]
dir = ./
new_certs_dir = $dir
unique_subject = no
certificate = $dir/rootca.crt
database = $dir/certindex
private_key = $dir/rootca.key
serial = $dir/certserial
default_days = 730
default_md = sha256
policy = myca_policy
x509_extensions = myca_extensions
crlnumber = $dir/crlnumber
default_crl_days = 730

[ myca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = optional
emailAddress = optional
organizationName = supplied
organizationalUnitName = optional

[ myca_extensions ]
basicConstraints = critical,CA:TRUE
keyUsage = critical,any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
extendedKeyUsage = serverAuth

[ v3_ca ]
basicConstraints = critical,CA:TRUE,pathlen:0
keyUsage = critical,any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
extendedKeyUsage = serverAuth

Generate root CA key (no passphrase)

openssl genrsa -out rootca.key 8192
Create self-signed root CA certificate

openssl req -sha256 -new -x509 -days 3650 -key rootca.key -out rootca.crt
Then fill in required info
Intermediate CA

Create directory

cd ../
mkdir -p ./interca1
cd ./interca1
Create index files

touch certindex
echo 1000 > certserial
echo 1000 > crlnumber

Create configuration file

Server certificate configuration

vi interca1.conf
[ ca ]
default_ca = myca

[ crl_ext ]
issuerAltName=issuer:copy 
authorityKeyIdentifier=keyid:always

[ myca ]
dir = ./
new_certs_dir = $dir
unique_subject = no
certificate = $dir/interca1.crt
database = $dir/certindex
private_key = $dir/interca1.key
serial = $dir/certserial
default_days = 365
default_md = sha256
policy = myca_policy
x509_extensions = myca_extensions
crlnumber = $dir/crlnumber
default_crl_days = 365

[ myca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = optional
emailAddress = optional
organizationName = supplied
organizationalUnitName = optional

[ myca_extensions ]
basicConstraints = critical,CA:FALSE
keyUsage = critical,any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth

Client certificate configuration

vi interca1_client.conf
[ ca ]
default_ca = myca

[ crl_ext ]
issuerAltName=issuer:copy 
authorityKeyIdentifier=keyid:always

[ myca ]
dir = ./
new_certs_dir = $dir
unique_subject = no
certificate = $dir/interca1.crt
database = $dir/certindex
private_key = $dir/interca1.key
serial = $dir/certserial
default_days = 365
default_md = sha256
policy = myca_policy
x509_extensions = myca_extensions
crlnumber = $dir/crlnumber
default_crl_days = 365

[ myca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = optional
emailAddress = optional
organizationName = supplied
organizationalUnitName = optional

[ myca_extensions ]
basicConstraints = critical,CA:FALSE
keyUsage = critical,any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = clientAuth

Generate intermediate CA key (no passphrase)

openssl genrsa -out interca1.key 8192
Create intermediate CA CSR (Certificate Signing Request)

openssl req -sha256 -new -key interca1.key -out interca1.csr
Then fill in required info. Skip challenge password and optional company name
Sign the intermediate CSR using the root

cd ../root
openssl ca -batch -config rootca.conf -notext -in ../interca1/interca1.csr -out ../interca1/interca1.crt
Creating certificates

Create directory

cd ../interca1
mkdir certs
Generate private key

openssl genrsa -out certs/example.com.key 4096
Create CSR

openssl req -new -sha256 -key certs/example.com.key -out certs/example.com.csr
Then fill in required info. Skip challenge password and optional company name
Sign CSR with intermediate CA

Sign server certificates

openssl ca -batch -config interca1.conf -notext -in certs/example.com.csr -out certs/example.com.crt
Sign client certificates

openssl ca -batch -config interca1_client.conf -notext -in certs/example.com.csr -out certs/example.com.crt
Make certificate chain

cat ../root/rootca.crt interca1.crt > certs/example.com.chain
Collect files

Send the following files to whoever requested the certificate

certs/example.com.crt
certs/example.com.key
certs/example.com.chain

Notes

Inspect a certificate

openssl x509 -in example.com.crt -text -noout
Inspect certificate chain

openssl crl2pkcs7 -nocrl -certfile example.com.chain | openssl pkcs7 -print_certs -text -noout
Reference


Raymii.org - OpenSSL command line Root and Intermediate CA including OCSP, CRL and revocation