Last active
February 5, 2017 17:05
-
-
Save jdelic/06d5bffc6de2826bfba531534b0c2f1c to your computer and use it in GitHub Desktop.
OpenSSL CA config with website, email and client cert configurations using a root and intermediate CA
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# OpenSSL CA config | |
# | |
# see https://jamielinux.com/docs/openssl-certificate-authority/ | |
# | |
# useful commands ============================================================= | |
# (this config file is referred to as openssl.cnf) | |
# Create a self-signed CA in one command | |
# openssl req -x509 -out casserver-ca.crt -key casserver-ca.key | |
# -config openssl.cnf -extensions app_ca_root_cert -days 3650 | |
# -subj "/C=DE/L=Munich/O=maurus.networks GmbH/OU=CASSERVER DEV Org Lineage/CN=CASSERVER DEV Grand-parent Authority/emailAddress=ca@maurus.net/unstructuredName=CASSERVER DEV Grand-parent Authority" | |
# | |
# Create a CSR and sign it (unlike the openssl ca tool this will NOT | |
# create or maintain a certificate database) | |
# openssl req -new -out cas-ca-2.req -config openssl.cnf -key cas-ca-2.key | |
# -subj "/C=DE/L=Munich/O=maurus.networks GmbH/OU=CASSERVER DEV Org Lineage/CN=CASSERVER DEV Parent Authority 2/emailAddress=ca@maurus.net/unstructuredName=CASSERVER DEV Parent Authority 2" | |
# openssl x509 -req -in cas-ca-2.req -out cas-ca-2.crt | |
# -extfile openssl.cnf -extensions intermediate_appca_certs | |
# -CA ../casserver-ca.crt -CAkey ../casserver-ca.key | |
# -CAserial ../serial.txt | |
# | |
# Update an existing certificate with a new expiry date or new X.509 | |
# extensions or even a new subject: | |
# openssl x509 -in casserver-ca.crt -out test.crt -signkey casserver-ca.key | |
# -extfile openssl.cnf -extensions app_ca_root_cert -days 3650 | |
# -clrext -subj "/C=DE/L=Munich/O=maurus.networks GmbH/OU=CASSERVER DEV Build Authority/CN=CASSERVER DEV Grand-parent Authority/emailAddress=ca@maurus.net/unstructuredName=CASSERVER DEV Grand-parent Authority" | |
# | |
# Sign a CSR using the openssl ca tool: | |
# openssl ca -config openssl.cnf -name build_ca_certs -in reqs/x1.req | |
# -out certs/x1.crt -notext -days 180 -CAkey casserver-ca.key -CAfile | |
# | |
# This definition stops the following lines choking if HOME isn't | |
# defined. | |
HOME = c:/jm/ca | |
RANDFILE = $HOME/rnd.state | |
# | |
# the CA configuration | |
# | |
[ ca ] | |
default_ca = use -name! | |
# | |
# This CA issues intermediate CAs making them easy to revoke | |
# | |
[ rootca ] | |
certs=$HOME/root-ca/certs | |
crl_dir=$HOME/root-ca/crl | |
certificate=$HOME/root-ca/ca.crt | |
serial=$HOME/root-ca/serial.txt | |
database=$HOME/root-ca/certificate.db | |
new_certs_dir=$HOME/root-ca/certs | |
private_key=$HOME/root-ca/ca.key | |
default_md=sha256 | |
policy=ca_policy | |
string_mask=utf8only | |
email_in_dn=no | |
# | |
# This CA is used for issuing internal server certificates | |
# and S/MIME certificates | |
# | |
[ maurusnetca ] | |
# use this if you specify SANs when signing the request | |
certs=$HOME/minion-ca/certs | |
crl_dir=$HOME/minion-ca/crl | |
certificate=$HOME/minion-ca/intermediate.crt | |
serial=$HOME/minion-ca/serial.txt | |
database=$HOME/minion-ca/certificate.db | |
new_certs_dir=$HOME/minion-ca/certs | |
private_key=$HOME/minion-ca/intermediate.key | |
default_md=sha256 | |
policy=ca_policy | |
string_mask=utf8only | |
email_in_dn=no | |
[ maurusnetca_copyext ] | |
# uset this to copy SANs from the request | |
certs=$HOME/minion-ca/certs | |
crl_dir=$HOME/minion-ca/crl | |
certificate=$HOME/minion-ca/intermediate.crt | |
serial=$HOME/minion-ca/serial.txt | |
database=$HOME/minion-ca/certificate.db | |
new_certs_dir=$HOME/minion-ca/certs | |
private_key=$HOME/minion-ca/intermediate.key | |
default_md=sha256 | |
policy=ca_policy | |
string_mask=utf8only | |
copy_extensions=copy | |
email_in_dn=no | |
# | |
# This sub-CA signs BUILD CAs which in turn create certificates for | |
# Continuous Delivery builds | |
# | |
[appsca] | |
certs=./certs | |
crl_dir=./crl | |
certificate=./apps-ca.crt | |
serial=./serial.txt | |
database=./certificate.db | |
new_certs_dir=./certs | |
private_key=./ca.key | |
default_md=sha256 | |
policy=ca_build_policy | |
string_mask=utf8only | |
email_in_dn=no | |
[ ca_policy ] | |
countryName = supplied | |
localityName = supplied | |
organizationName = match | |
organizationalUnitName = supplied | |
commonName = optional # latest recommendation is no CN, SAN only | |
emailAddress = supplied | |
unstructuredName = supplied | |
[ ca_user_policy ] | |
countryName = supplied | |
localityName = supplied | |
organizationName = match | |
organizationalUnitName = supplied | |
commonName = supplied # latest recommendation is no CN, SAN only | |
title = supplied | |
unstructuredName = optional | |
[ ca_build_policy ] | |
commonName = supplied | |
# | |
# request | |
# | |
[ req ] | |
distinguished_name = dn_sect | |
prompt = yes | |
default_md = sha256 | |
default_bits = 2048 | |
string_mask = utf8only | |
req_extensions = req_exts | |
[ alternate_names ] | |
# modify this section below when creating CSRs (in case you have set | |
# copy_extensions=copy) OR include alternate_names when signing the CSR | |
# if copy_extensions is NOT set. | |
# one or more DNS names for server certificates (SANs) | |
DNS.1=*.maurusnet.test | |
DNS.2=maurusnet.test | |
#DNS.3=debian.saltstack.com | |
#DNS.4=httpredir.debian.org | |
# one or more email addresses for user certificates | |
#email.1 = info@maurus.net | |
#email.2 = | |
#email.3 = | |
# DNS.3 | |
# ... | |
[ req_exts ] | |
subjectAltName = @alternate_names | |
# | |
# X.509 extensions for various uses | |
# Use them when signing a CSR like this: | |
# | |
#openssl ca -config ..\openssl.cnf -name maurusnetca -policy ca_user_policy -in reqs\jonas.req -out certs\jonas.crt -days 3650 -extensions user_email_certs | |
# | |
[ user_email_certs ] | |
# Extensions for client certificates (`man x509v3_config`). | |
basicConstraints = critical, CA:FALSE | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid,issuer | |
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment | |
extendedKeyUsage = emailProtection | |
subjectAltName=@alternate_names | |
crlDistributionPoints = URI:https://crl.maurus.net/minion_revocations.crl | |
# authorityInfoAccess = OCSP;URI:http://ocsp.example.com | |
[ user_client_certs ] | |
# Extensions for client certificates (`man x509v3_config`). | |
basicConstraints = critical, CA:FALSE | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid,issuer | |
# http://security.stackexchange.com/questions/68491/recommended-key-usage-for-a-client-certificate | |
keyUsage = critical, digitalSignature | |
extendedKeyUsage = clientAuth | |
#subjectAltName=email:info@maurus.net | |
[ server_certs ] | |
# Extensions for server certificates (`man x509v3_config`). | |
basicConstraints = critical, CA:FALSE | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid,issuer:always | |
keyUsage = critical, digitalSignature, keyEncipherment | |
extendedKeyUsage = serverAuth | |
crlDistributionPoints = URI:https://crl.maurus.net/minion_revocations.crl | |
# authorityInfoAccess = OCSP;URI:http://ocsp.example.com | |
[ server_certs_with_sans ] | |
# Extensions for server certificates (`man x509v3_config`). | |
basicConstraints = critical, CA:FALSE | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid,issuer:always | |
keyUsage = critical, digitalSignature, keyEncipherment | |
extendedKeyUsage = serverAuth | |
subjectAltName=@alternate_names | |
crlDistributionPoints = URI:https://crl.maurus.net/minion_revocations.crl | |
# authorityInfoAccess = OCSP;URI:http://ocsp.example.com | |
[ ca_certs ] | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid:always,issuer | |
basicConstraints = critical, CA:true | |
keyUsage = critical, digitalSignature, cRLSign, keyCertSign | |
# crlDistributionPoints=URI:http://myhost.com/myca.crl | |
[ intermediate_ca_certs ] | |
# Extensions for a typical intermediate CA (`man x509v3_config`). | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid:always,issuer | |
basicConstraints = critical, CA:true, pathlen:0 | |
keyUsage = critical, digitalSignature, cRLSign, keyCertSign | |
crlDistributionPoints = URI:https://crl.maurus.net/ca_revocations.crl | |
[ intermediate_appca_certs ] | |
# Extensions for a typical intermediate CA (`man x509v3_config`). | |
# but this one has pathlen:1, so these sub-CAs can sign CAs | |
# This is useful to give individual developers their own DEV CAs that can | |
# issue Vault-based application CAs | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid:always,issuer | |
basicConstraints = critical, CA:true, pathlen:1 | |
keyUsage = critical, digitalSignature, cRLSign, keyCertSign | |
crlDistributionPoints = URI:https://crl.maurus.net/ca_revocations.crl | |
[ app_ca_root_cert ] | |
# Extensions for the App root CAs which may have 2 levels of sub CAs | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid:always,issuer | |
basicConstraints = critical, CA:true, pathlen:2 | |
keyUsage = critical, digitalSignature, cRLSign, keyCertSign | |
[ build_ca_certs ] | |
# Extensions for the Build CAs which are issued by each App CA for each build server | |
# The CSRs for these intermediates are created by Vault | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid:always,issuer | |
basicConstraints = critical, CA:true, pathlen:0 | |
keyUsage = critical, digitalSignature, cRLSign, keyCertSign | |
# most local services require CRLs to be pushed, not pulled, so this configuration really doesn't matter | |
#crlDistributionPoints = URI:https://crl.maurus.net/apps/EDITME/envs/EDITME/revocations.crl | |
[ ocsp_signing_certs ] | |
# Extension for OCSP signing certificates (`man ocsp`). | |
basicConstraints = critical, CA:FALSE | |
subjectKeyIdentifier = hash | |
authorityKeyIdentifier = keyid,issuer | |
keyUsage = critical, digitalSignature | |
extendedKeyUsage = critical, OCSPSigning | |
[ crl_ext ] | |
# Extension for CRLs (`man x509v3_config`). | |
authorityKeyIdentifier=keyid:always | |
# | |
# Distinguished name combinations for our uses | |
# | |
[ dn_sect ] | |
countryName = Country Name | |
countryName_default = DE | |
localityName = Locality Name | |
localityName_default = Munich | |
organizationName = Organization Name | |
organizationName_default = maurus.networks GmbH | |
organizationalUnitName = Organizational Unit Name | |
organizationalUnitName_default = | |
commonName = Common Name | |
commonName_default = | |
emailAddress = Email Address | |
emailAddress_default = info@maurus.net | |
unstructuredName = Unstructured Name | |
unstructuredName_default = | |
[ dn_user_sect ] | |
countryName = Country Name | |
countryName_default = DE | |
localityName = Locality Name | |
localityName_default = Munich | |
organizationName = Organization Name | |
organizationName_default = maurus.networks GmbH | |
organizationalUnitName = Organizational Unit Name | |
organizationalUnitName_default = | |
commonName = Common Name | |
commonName_default = | |
title = Title | |
title_default = organizationalUnitName | |
# | |
# special sections for the CA request | |
# set prompt to "no" in [ req ] and set distinguished_name to dn_ca_sect | |
# | |
[ dn_ca_sect ] | |
countryName = Country Name | |
localityName = Locality Name | |
organizationName = Organization Name | |
organizationalUnitName = Organizational Unit Name | |
commonName = Common Name | |
emailAddress = Email Address | |
unstructuredName = Unstructured Name | |
countryName_default = DE | |
localityName_default = Munich | |
organizationName_default = maurus.networks GmbH | |
organizationalUnitName_default = Internet Server CA | |
commonName_default = maurus.networks Internet Server CA | |
emailAddress_default = ca@maurus.net | |
unstructuredName_default = maurus.networks Internet Server CA | |
# | |
# PKCS#12 settings for exporting S/MIME certs to clients | |
# This is tricky because we must enforce PBKDF2 and AES-256-CBC (GCM is not supported, yet) | |
# otherwise openssl will use RC2 with a 40 bit key :(( | |
# openssl pkcs12 -export -chain -CAfile ca-chain.crt -inkey keys\jonas.key -name "Jonas Maurus S/MIME" \ | |
# -in certs\jonas.crt -out c:\jm\jonas.p12 -certpbe AES-256-CBC -keypbe AES-256-CBC | |
# MOST SECURE ACTUALLY WORKING VERSION (on Windows 10 and iOS9) is: | |
# openssl pkcs12 -export -chain -CAfile ca-chain.crt -inkey keys\jonas.key -name "Jonas Maurus S/MIME" \ | |
# -in certs\jonas.crt -out c:\jm\jonas.p12 -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment