This text is my notes to understand deeply section:"11.4 プライベートCAを作る" on プロフェッショナルSSL/TLS.
[ec2-user@ip-10-0-1-184 ~]$ curl -V
curl 7.61.1 (x86_64-koji-linux-gnu) libcurl/7.61.1 OpenSSL/1.0.2k zlib/1.2.7 libidn2/2.0.4 libssh2/1.4.3 nghttp2/1.31.1
Release-Date: 2018-09-05
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz HTTP2 UnixSockets HTTPS-proxy Metalink
[ec2-user@ip-10-0-1-184 ~]$ openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
[ec2-user@ip-10-0-1-184 ~]$ mkdir test-ca
[ec2-user@ip-10-0-1-184 ~]$ cd test-ca/
[ec2-user@ip-10-0-1-184 test-ca]$ ls
[ec2-user@ip-10-0-1-184 test-ca]$ mkdir root-ca
[ec2-user@ip-10-0-1-184 test-ca]$ cd root-ca/
[ec2-user@ip-10-0-1-184 root-ca]$ curl -s -o root-ca.conf https://raw.githubusercontent.com/ivanr/bulletproof-tls/master/private-ca/root-ca.conf
[ec2-user@ip-10-0-1-184 root-ca]$ curl -s -o sub-ca.conf https://raw.githubusercontent.com/ivanr/bulletproof-tls/master/private-ca/sub-ca.conf
[ec2-user@ip-10-0-1-184 root-ca]$ mkdir certs db private
[ec2-user@ip-10-0-1-184 root-ca]$ chmod 700 private/
[ec2-user@ip-10-0-1-184 root-ca]$ touch db/index
[ec2-user@ip-10-0-1-184 root-ca]$ openssl rand -hex 16 > db/serial
[ec2-user@ip-10-0-1-184 root-ca]$ echo 1001 > db/crlnumber
[ec2-user@ip-10-0-1-184 root-ca]$ ls -l
total 8
drwxrwxr-x 2 ec2-user ec2-user 6 Aug 15 10:44 certs
drwxrwxr-x 2 ec2-user ec2-user 50 Aug 15 10:44 db
drwx------ 2 ec2-user ec2-user 6 Aug 15 10:44 private
-rw-rw-r-- 1 ec2-user ec2-user 2542 Aug 15 10:43 root-ca.conf
-rw-rw-r-- 1 ec2-user ec2-user 2436 Aug 15 10:43 sub-ca.conf
[ec2-user@ip-10-0-1-184 root-ca]$ openssl req -new -config root-ca.conf -out root-ca.csr -keyout private/root-ca.key
Generating a 4096 bit RSA private key
............++
..............................................................................................................................++
writing new private key to 'private/root-ca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
[ec2-user@ip-10-0-1-184 root-ca]$ ls -l
total 12
drwxrwxr-x 2 ec2-user ec2-user 6 Aug 15 10:44 certs
drwxrwxr-x 2 ec2-user ec2-user 50 Aug 15 10:44 db
drwx------ 2 ec2-user ec2-user 25 Aug 15 10:46 private
-rw-rw-r-- 1 ec2-user ec2-user 2542 Aug 15 10:43 root-ca.conf
-rw-rw-r-- 1 ec2-user ec2-user 1732 Aug 15 10:46 root-ca.csr
-rw-rw-r-- 1 ec2-user ec2-user 2436 Aug 15 10:43 sub-ca.conf
[ec2-user@ip-10-0-1-184 root-ca]$ file root-ca.csr
root-ca.csr: PEM certificate request
[ec2-user@ip-10-0-1-184 root-ca]$ file private/root-ca.key
private/root-ca.key: ASCII text
[ec2-user@ip-10-0-1-184 root-ca]$ cat private/root-ca.key
-----BEGIN ENCRYPTED PRIVATE KEY-----
(snipped)
-----END ENCRYPTED PRIVATE KEY-----
[ec2-user@ip-10-0-1-184 root-ca]$ openssl ca -selfsign -config root-ca.conf -in root-ca.csr -out root-ca.crt -extensions ca_ext
Using configuration from root-ca.conf
Enter pass phrase for ./private/root-ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e4:b2:30:7e:25:cb:29:34:dc:73:83:92:6a:0c:2b:c0
Issuer:
countryName = GB
organizationName = Example
commonName = Root CA
Validity
Not Before: Aug 15 10:50:55 2019 GMT
Not After : Aug 12 10:50:55 2029 GMT
Subject:
countryName = GB
organizationName = Example
commonName = Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:bc:51:05:cf:34:5c:d2:3f:3b:5a:86:cf:b5:3a:
34:b2:34:d0:2e:39:da:fa:3b:e0:96:21:83:87:75:
67:32:3a:fe:99:f3:a1:00:e2:d7:60:0f:ef:8c:2b:
1b:08:90:1f:40:0f:09:e6:fe:f8:ed:5b:b8:b6:26:
86:61:e1:94:e5:b5:11:40:6a:a6:be:1c:35:a8:67:
09:dc:20:ca:51:78:9f:49:12:86:49:db:30:83:81:
ab:91:cf:52:b9:a4:18:63:a5:cb:2a:3f:fb:57:15:
fa:35:8b:28:fc:0a:fa:51:6a:30:96:57:b6:a0:03:
4b:83:a1:f3:04:9e:3f:e3:e5:24:b2:e2:ca:32:a6:
18:90:28:fd:e9:74:49:d0:8e:9e:90:34:8f:91:59:
97:0f:01:80:2d:08:3a:c8:6b:cd:39:ad:88:c0:30:
a6:23:cb:54:5a:0a:3a:ed:79:ba:a0:55:a4:76:9e:
00:3e:05:e4:7b:e5:ad:1d:e5:9c:01:f9:b6:84:54:
51:4a:7a:79:83:d0:c9:01:11:ab:73:3f:00:03:78:
4a:b7:84:c4:32:89:f5:da:b0:19:32:6f:6c:81:70:
93:b3:d3:08:36:f1:b6:e8:d2:64:38:15:13:93:74:
92:22:dc:c5:69:f6:8b:54:71:7a:1c:9c:14:2b:2e:
c0:fa:88:60:75:59:90:97:e0:1d:ae:72:ff:40:9c:
37:dd:95:e7:4b:64:e4:bb:a7:04:29:e2:b3:7c:50:
b7:07:9a:56:6a:73:96:a6:62:71:15:ee:f3:07:33:
2e:81:7c:2b:28:75:d9:23:72:a1:6e:00:ae:b2:57:
cb:d9:b5:bd:85:cb:af:39:2d:cd:68:2b:37:96:e6:
8e:6c:11:7d:ea:aa:05:ab:71:dd:38:66:20:a0:6f:
75:25:95:0d:35:ae:11:d1:45:67:2e:11:d0:f9:97:
d5:79:a2:3e:cd:01:a1:f0:98:a7:91:56:53:a4:20:
1b:8e:4d:b7:43:9b:e7:fc:5e:ce:cc:ec:91:fa:32:
e4:c9:50:df:a5:bc:72:e8:ae:5e:ad:49:7a:43:47:
e6:fb:15:d1:1b:1f:02:46:35:ee:c0:05:58:6d:0d:
8d:ad:7b:dc:ca:0c:ac:37:5c:66:57:cc:b4:ca:5c:
b9:a4:fc:08:3d:2e:d8:82:e0:f5:95:39:c5:0e:14:
26:66:ff:f3:b0:99:21:3a:ac:64:a2:8b:43:10:12:
81:ed:9c:40:9a:9d:a6:24:43:9e:0a:eb:01:56:30:
dd:48:69:5a:28:c2:68:6c:3b:f9:93:55:33:31:89:
f8:6c:7d:66:fa:6e:3f:4c:98:3c:85:f7:0d:65:f6:
42:93:b3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
91:17:8D:20:E9:31:34:47:97:21:8B:28:61:62:32:61:A6:39:75:E3
Certificate is to be certified until Aug 12 10:50:55 2029 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[ec2-user@ip-10-0-1-184 root-ca]$ ls -la
total 20
drwxrwxr-x 5 ec2-user ec2-user 121 Aug 15 10:50 .
drwxrwxr-x 3 ec2-user ec2-user 21 Aug 15 10:43 ..
drwxrwxr-x 2 ec2-user ec2-user 50 Aug 15 10:51 certs
drwxrwxr-x 2 ec2-user ec2-user 103 Aug 15 10:51 db
drwx------ 2 ec2-user ec2-user 25 Aug 15 10:46 private
-rw-rw-r-- 1 ec2-user ec2-user 2542 Aug 15 10:43 root-ca.conf
-rw-rw-r-- 1 ec2-user ec2-user 6876 Aug 15 10:51 root-ca.crt
-rw-rw-r-- 1 ec2-user ec2-user 1732 Aug 15 10:46 root-ca.csr
-rw-rw-r-- 1 ec2-user ec2-user 2436 Aug 15 10:43 sub-ca.conf
[ec2-user@ip-10-0-1-184 root-ca]$ file root-ca.crt
root-ca.crt: ASCII text
[ec2-user@ip-10-0-1-184 root-ca]$ cat db/index
V 290812105055Z E4B2307E25CB2934DC7383926A0C2BC0 unknown /C=GB/O=Example/CN=Root CA
[ec2-user@ip-10-0-1-184 root-ca]$ ls certs/
E4B2307E25CB2934DC7383926A0C2BC0.pem
[ec2-user@ip-10-0-1-184 root-ca]$ file certs/E4B2307E25CB2934DC7383926A0C2BC0.pem
certs/E4B2307E25CB2934DC7383926A0C2BC0.pem: ASCII text
[ec2-user@ip-10-0-1-184 root-ca]$ sha256sum certs/E4B2307E25CB2934DC7383926A0C2BC0.pem
0f0202a40b015073104b25e7ea12d3dfa4f967f482e1a6f4e20e60f7ef78d007 certs/E4B2307E25CB2934DC7383926A0C2BC0.pem
[ec2-user@ip-10-0-1-184 root-ca]$ sha256sum root-ca.crt
0f0202a40b015073104b25e7ea12d3dfa4f967f482e1a6f4e20e60f7ef78d007 root-ca.crt
[ec2-user@ip-10-0-1-184 root-ca]$ cat root-ca.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e4:b2:30:7e:25:cb:29:34:dc:73:83:92:6a:0c:2b:c0
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, O=Example, CN=Root CA
Validity
Not Before: Aug 15 10:50:55 2019 GMT
Not After : Aug 12 10:50:55 2029 GMT
Subject: C=GB, O=Example, CN=Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:bc:51:05:cf:34:5c:d2:3f:3b:5a:86:cf:b5:3a:
34:b2:34:d0:2e:39:da:fa:3b:e0:96:21:83:87:75:
67:32:3a:fe:99:f3:a1:00:e2:d7:60:0f:ef:8c:2b:
1b:08:90:1f:40:0f:09:e6:fe:f8:ed:5b:b8:b6:26:
86:61:e1:94:e5:b5:11:40:6a:a6:be:1c:35:a8:67:
09:dc:20:ca:51:78:9f:49:12:86:49:db:30:83:81:
ab:91:cf:52:b9:a4:18:63:a5:cb:2a:3f:fb:57:15:
fa:35:8b:28:fc:0a:fa:51:6a:30:96:57:b6:a0:03:
4b:83:a1:f3:04:9e:3f:e3:e5:24:b2:e2:ca:32:a6:
18:90:28:fd:e9:74:49:d0:8e:9e:90:34:8f:91:59:
97:0f:01:80:2d:08:3a:c8:6b:cd:39:ad:88:c0:30:
a6:23:cb:54:5a:0a:3a:ed:79:ba:a0:55:a4:76:9e:
00:3e:05:e4:7b:e5:ad:1d:e5:9c:01:f9:b6:84:54:
51:4a:7a:79:83:d0:c9:01:11:ab:73:3f:00:03:78:
4a:b7:84:c4:32:89:f5:da:b0:19:32:6f:6c:81:70:
93:b3:d3:08:36:f1:b6:e8:d2:64:38:15:13:93:74:
92:22:dc:c5:69:f6:8b:54:71:7a:1c:9c:14:2b:2e:
c0:fa:88:60:75:59:90:97:e0:1d:ae:72:ff:40:9c:
37:dd:95:e7:4b:64:e4:bb:a7:04:29:e2:b3:7c:50:
b7:07:9a:56:6a:73:96:a6:62:71:15:ee:f3:07:33:
2e:81:7c:2b:28:75:d9:23:72:a1:6e:00:ae:b2:57:
cb:d9:b5:bd:85:cb:af:39:2d:cd:68:2b:37:96:e6:
8e:6c:11:7d:ea:aa:05:ab:71:dd:38:66:20:a0:6f:
75:25:95:0d:35:ae:11:d1:45:67:2e:11:d0:f9:97:
d5:79:a2:3e:cd:01:a1:f0:98:a7:91:56:53:a4:20:
1b:8e:4d:b7:43:9b:e7:fc:5e:ce:cc:ec:91:fa:32:
e4:c9:50:df:a5:bc:72:e8:ae:5e:ad:49:7a:43:47:
e6:fb:15:d1:1b:1f:02:46:35:ee:c0:05:58:6d:0d:
8d:ad:7b:dc:ca:0c:ac:37:5c:66:57:cc:b4:ca:5c:
b9:a4:fc:08:3d:2e:d8:82:e0:f5:95:39:c5:0e:14:
26:66:ff:f3:b0:99:21:3a:ac:64:a2:8b:43:10:12:
81:ed:9c:40:9a:9d:a6:24:43:9e:0a:eb:01:56:30:
dd:48:69:5a:28:c2:68:6c:3b:f9:93:55:33:31:89:
f8:6c:7d:66:fa:6e:3f:4c:98:3c:85:f7:0d:65:f6:
42:93:b3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
91:17:8D:20:E9:31:34:47:97:21:8B:28:61:62:32:61:A6:39:75:E3
Signature Algorithm: sha256WithRSAEncryption
71:05:ac:87:de:da:da:7d:1b:d9:13:e3:a0:0c:4e:41:53:4f:
a4:54:1e:a8:8a:1a:16:9b:61:ba:dd:3f:d1:e4:f2:18:35:e8:
7d:44:0e:48:ab:dc:90:80:24:ab:f6:00:f3:f2:29:d0:40:9d:
f7:45:52:6a:6c:c0:91:fb:83:73:b7:b0:7b:5d:4e:8a:8b:a9:
a3:27:4d:5e:e2:15:05:1b:c5:69:5a:5d:71:bb:50:65:72:00:
bc:dc:f0:0a:32:c0:3c:80:71:3a:08:9f:b5:d4:b2:75:e3:23:
4f:40:cd:d4:5e:7c:b6:c9:74:37:43:52:6b:73:80:5f:83:7e:
22:0d:4e:37:c1:32:ea:c3:d6:51:ff:14:3f:25:2c:d5:b2:ab:
96:3c:a9:cd:80:7c:71:20:a5:64:bb:de:3b:38:57:9f:08:03:
39:00:91:be:b2:ce:73:e2:7b:99:bf:c7:65:d8:9a:7b:af:d8:
ef:20:7e:6b:a0:bb:f2:56:b2:9e:6b:62:98:ee:c1:c7:7c:6c:
80:08:1d:8a:fd:8f:f1:77:8d:a9:a1:57:e7:a8:38:4e:44:86:
72:c3:2c:5d:b4:73:b2:e0:23:91:a8:d5:8c:97:3e:4c:b7:48:
1f:21:a8:a0:3b:db:8b:9b:d8:96:00:a4:96:30:28:12:1b:56:
bd:6a:67:6c:ff:ce:6a:5c:07:8f:5f:32:d1:34:82:ff:e5:81:
c9:f1:f4:4a:2b:06:7d:f3:6f:07:7a:f0:c1:8a:6c:a2:9a:57:
8e:91:b7:cc:f8:90:0b:b7:f9:0c:1a:77:61:e8:02:84:7a:35:
39:93:f1:61:76:01:2b:b9:6b:ad:a6:f2:34:da:75:64:64:86:
7a:0b:ac:68:9b:4d:91:d7:88:36:b6:ed:e9:6b:5b:6a:6b:34:
0c:56:98:d4:67:20:7b:ec:4f:e7:43:77:71:03:ab:f2:47:31:
d8:03:91:21:8f:89:ed:84:55:dd:b0:0a:2d:11:17:e4:cb:25:
92:0d:2c:4a:f6:1b:1c:f0:37:1f:ea:cc:f3:bc:c1:eb:a6:6a:
9c:36:02:90:a3:66:db:e4:93:98:a7:c3:65:5a:45:4f:79:c6:
4c:f5:03:f6:1f:c7:fe:a8:49:2e:13:bc:4d:a8:c0:4b:40:5e:
ae:7f:84:a9:d8:38:5b:c8:53:3a:cf:b7:56:1a:ef:52:73:39:
11:6d:ad:56:e1:82:e5:4d:01:1c:d1:b1:66:05:db:da:52:5c:
7f:13:7f:b1:14:32:99:72:32:62:38:bf:7d:c2:db:ae:b9:e8:
51:dd:4a:0d:33:e8:b8:af:cd:8e:00:36:12:8a:58:d3:80:a5:
12:8f:ae:b7:4f:0f:1e:14
-----BEGIN CERTIFICATE-----
MIIFLzCCAxegAwIBAgIRAOSyMH4lyyk03HODkmoMK8AwDQYJKoZIhvcNAQELBQAw
MTELMAkGA1UEBhMCR0IxEDAOBgNVBAoMB0V4YW1wbGUxEDAOBgNVBAMMB1Jvb3Qg
Q0EwHhcNMTkwODE1MTA1MDU1WhcNMjkwODEyMTA1MDU1WjAxMQswCQYDVQQGEwJH
QjEQMA4GA1UECgwHRXhhbXBsZTEQMA4GA1UEAwwHUm9vdCBDQTCCAiIwDQYJKoZI
hvcNAQEBBQADggIPADCCAgoCggIBALxRBc80XNI/O1qGz7U6NLI00C452vo74JYh
g4d1ZzI6/pnzoQDi12AP74wrGwiQH0APCeb++O1buLYmhmHhlOW1EUBqpr4cNahn
CdwgylF4n0kShknbMIOBq5HPUrmkGGOlyyo/+1cV+jWLKPwK+lFqMJZXtqADS4Oh
8wSeP+PlJLLiyjKmGJAo/el0SdCOnpA0j5FZlw8BgC0IOshrzTmtiMAwpiPLVFoK
Ou15uqBVpHaeAD4F5HvlrR3lnAH5toRUUUp6eYPQyQERq3M/AAN4SreExDKJ9dqw
GTJvbIFwk7PTCDbxtujSZDgVE5N0kiLcxWn2i1RxehycFCsuwPqIYHVZkJfgHa5y
/0CcN92V50tk5LunBCnis3xQtweaVmpzlqZicRXu8wczLoF8Kyh12SNyoW4ArrJX
y9m1vYXLrzktzWgrN5bmjmwRfeqqBatx3ThmIKBvdSWVDTWuEdFFZy4R0PmX1Xmi
Ps0BofCYp5FWU6QgG45Nt0Ob5/xezszskfoy5MlQ36W8cuiuXq1JekNH5vsV0Rsf
AkY17sAFWG0Nja173MoMrDdcZlfMtMpcuaT8CD0u2ILg9ZU5xQ4UJmb/87CZITqs
ZKKLQxASge2cQJqdpiRDngrrAVYw3UhpWijCaGw7+ZNVMzGJ+Gx9ZvpuP0yYPIX3
DWX2QpOzAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEG
MB0GA1UdDgQWBBSRF40g6TE0R5chiyhhYjJhpjl14zANBgkqhkiG9w0BAQsFAAOC
AgEAcQWsh97a2n0b2RPjoAxOQVNPpFQeqIoaFpthut0/0eTyGDXofUQOSKvckIAk
q/YA8/Ip0ECd90VSamzAkfuDc7ewe11OioupoydNXuIVBRvFaVpdcbtQZXIAvNzw
CjLAPIBxOgiftdSydeMjT0DN1F58tsl0N0NSa3OAX4N+Ig1ON8Ey6sPWUf8UPyUs
1bKrljypzYB8cSClZLveOzhXnwgDOQCRvrLOc+J7mb/HZdiae6/Y7yB+a6C78lay
nmtimO7Bx3xsgAgdiv2P8XeNqaFX56g4TkSGcsMsXbRzsuAjkajVjJc+TLdIHyGo
oDvbi5vYlgCkljAoEhtWvWpnbP/OalwHj18y0TSC/+WByfH0SisGffNvB3rwwYps
oppXjpG3zPiQC7f5DBp3YegChHo1OZPxYXYBK7lrrabyNNp1ZGSGegusaJtNkdeI
Nrbt6Wtbams0DFaY1Gcge+xP50N3cQOr8kcx2AORIY+J7YRV3bAKLREX5Mslkg0s
SvYbHPA3H+rM87zB66ZqnDYCkKNm2+STmKfDZVpFT3nGTPUD9h/H/qhJLhO8TajA
S0Bern+Eqdg4W8hTOs+3VhrvUnM5EW2tVuGC5U0BHNGxZgXb2lJcfxN/sRQymXIy
Yji/fcLbrrnoUd1KDTPouK/NjgA2EopY04ClEo+ut08PHhQ=
-----END CERTIFICATE-----
[ec2-user@ip-10-0-1-184 root-ca]$ openssl ca -gencrl -config root-ca.conf -out root-ca.crl
Using configuration from root-ca.conf
Enter pass phrase for ./private/root-ca.key:
[ec2-user@ip-10-0-1-184 root-ca]$ ls -la
total 24
drwxrwxr-x 5 ec2-user ec2-user 140 Aug 15 11:07 .
drwxrwxr-x 3 ec2-user ec2-user 21 Aug 15 10:43 ..
drwxrwxr-x 2 ec2-user ec2-user 50 Aug 15 10:51 certs
drwxrwxr-x 2 ec2-user ec2-user 124 Aug 15 11:07 db
drwx------ 2 ec2-user ec2-user 25 Aug 15 10:46 private
-rw-rw-r-- 1 ec2-user ec2-user 2542 Aug 15 10:43 root-ca.conf
-rw-rw-r-- 1 ec2-user ec2-user 934 Aug 15 11:07 root-ca.crl
-rw-rw-r-- 1 ec2-user ec2-user 6876 Aug 15 10:51 root-ca.crt
-rw-rw-r-- 1 ec2-user ec2-user 1732 Aug 15 10:46 root-ca.csr
-rw-rw-r-- 1 ec2-user ec2-user 2436 Aug 15 10:43 sub-ca.conf
[ec2-user@ip-10-0-1-184 root-ca]$ file root-ca.crl
root-ca.crl: ASCII text
[ec2-user@ip-10-0-1-184 root-ca]$ cat root-ca.crl
-----BEGIN X509 CRL-----
MIICijB0AgEBMA0GCSqGSIb3DQEBCwUAMDExCzAJBgNVBAYTAkdCMRAwDgYDVQQK
DAdFeGFtcGxlMRAwDgYDVQQDDAdSb290IENBFw0xOTA4MTUxMTA3NDFaFw0yMDA4
MTQxMTA3NDFaoA8wDTALBgNVHRQEBAICEAEwDQYJKoZIhvcNAQELBQADggIBALoF
+uQtv1MlcCc2WvdOnsFVAjlJLW5qtKn8N+XN1Lvl0wKaCIbRkmIvguBZl0eImTVx
zvytiDkT/FR7P3SlF3Sz4HRuUuWJD0/XX2Wr38fnqPQj9APA/b0I7zR7TDW9Yrs1
a9wdwWGBwv2ByuSPV2lM37S0sutLCTcBBE/c0ETfCxY++ePu3RLbuC3SGYVbnP6l
qE6cIRrxH774i/KWAVDjT/H0yOjME1N6TNXbPJ1/hMD46qGHxlRyymaPOkGJZww2
sP62o4Mie9DM4wveyr+eaMSwcIkaWfzbtFTwK0H8ZRBaPdrm9dpMvR4lBai1YbSc
r3C+EPFBUyKMuHSYyfAODsVHgoT4X4uTqtJCWJJBqJYFA0O6o2pPH/7Sw5Hq5vAr
fIwXRQVS7Sj9M191QqqIkLRKX54ZRkHc7j6k0tNcrG6XA9t2xKx997IyiVGF7N+r
xTBBHY89/G6yS4IYGCCr3tbZqVJbzqefgTlZAtW/zcrxXDJ/AI7a3JccvVWeerfa
4Oqud1ykB2KUDvR3s5TtnTb3sjzhH3q9T4pw7RpxD/RVcRrGgG3+gIAtoFqtAo72
XnWzFfiieOxe4BMm+D1OBWwhgT03Dpd5VgobuQ/8DN4voL2Ek7eXnZZ/48EQd62A
w9WLUD5SR9DrW/Bmr7gM12TbWnUrFPba8twyCeOA
-----END X509 CRL-----
[ec2-user@ip-10-0-1-184 root-ca]$ cd ..
[ec2-user@ip-10-0-1-184 test-ca]$ mkdir sub-ca
[ec2-user@ip-10-0-1-184 test-ca]$ cd sub-ca/
[ec2-user@ip-10-0-1-184 sub-ca]$ ls
[ec2-user@ip-10-0-1-184 sub-ca]$ mv ../root-ca/sub-ca.conf .
[ec2-user@ip-10-0-1-184 sub-ca]$ mkdir certs db private
[ec2-user@ip-10-0-1-184 sub-ca]$ chmod 700 private/
[ec2-user@ip-10-0-1-184 sub-ca]$ touch db/ index
[ec2-user@ip-10-0-1-184 sub-ca]$ openssl rand -hex 16 > db/serial
[ec2-user@ip-10-0-1-184 sub-ca]$ echo 1001 > db/crlnumber
[ec2-user@ip-10-0-1-184 sub-ca]$ ls -l
total 4
drwxrwxr-x 2 ec2-user ec2-user 6 Aug 15 12:06 certs
drwxrwxr-x 2 ec2-user ec2-user 37 Aug 15 12:07 db
-rw-rw-r-- 1 ec2-user ec2-user 0 Aug 15 12:07 index
drwx------ 2 ec2-user ec2-user 6 Aug 15 12:06 private
-rw-rw-r-- 1 ec2-user ec2-user 2436 Aug 15 10:43 sub-ca.conf
[ec2-user@ip-10-0-1-184 sub-ca]$ openssl req -new -config sub-ca.conf -out sub-ca.csr -keyout private/sub-ca.key
Generating a 2048 bit RSA private key
................................................................+++
...............................................................................................+++
writing new private key to 'private/sub-ca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
[ec2-user@ip-10-0-1-184 sub-ca]$ ls -l
total 8
drwxrwxr-x 2 ec2-user ec2-user 6 Aug 15 12:06 certs
drwxrwxr-x 2 ec2-user ec2-user 37 Aug 15 12:07 db
-rw-rw-r-- 1 ec2-user ec2-user 0 Aug 15 12:07 index
drwx------ 2 ec2-user ec2-user 24 Aug 15 12:09 private
-rw-rw-r-- 1 ec2-user ec2-user 2436 Aug 15 10:43 sub-ca.conf
-rw-rw-r-- 1 ec2-user ec2-user 928 Aug 15 12:09 sub-ca.csr
[ec2-user@ip-10-0-1-184 sub-ca]$ file sub-ca.csr
sub-ca.csr: PEM certificate request
[ec2-user@ip-10-0-1-184 sub-ca]$ cat sub-ca.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICdTCCAV0CAQAwMDELMAkGA1UEBhMCR0IxEDAOBgNVBAoMB0V4YW1wbGUxDzAN
BgNVBAMMBlN1YiBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPY7
Ihr9xL7jIH1FMAa1tTJFXff/Qg/5T2ZuhBx9jHFwOCuPROFmouy04Q75PS70Ih8c
h6QQqE6xpeFthGJ3dnN2fiweSKfgj32yUjc7uRr6QkAorA+9dfK1VdBd0MUovhsE
WhJkL0B/o6ZfcwPPzKjeEgJ+uKK/YExO7JYR4UZyOU4YCa0Y1Uvi0VsS6B+e+fGq
/rL0uULyyPGVgN0E1Gg/ILEePpgbcDU8Uh/GoDPb1D7szbhvJARPht5+gXSmBDqS
ID6WYd44bH9gyRx82WUcAKyHb+9auLT1vXskglIzecmonlF4QwugaReB9M+tvzvl
4Y+sbbCLK0MChAiel5ECAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQB7wyUiqbTC
1G+Q8wja0PRCtjQbi7oHwsaLqZh4AgV0y2lvOyS6Ktls8Ma8T1FlC8YMVJMm7IK/
F9z6Jnw7aI4P4NbuIwuGXc/NSqYy4UDtxQ3WyALqMe2+fq2u8ZHz9GgeOnq6HOSU
W47i/tkZASKi8puB6gxXf9fqnXaD53TfVN7LRMW7mlDYOMuNcGfoVq5BHPg0no3M
re3PEIYFDJOlGLyl9rUDSBwH4FM0jeNmWIsKaCD9RKk8/cAZhQQK6x5bFT8xAigj
/uunPfjl5M065JT6dpddPJj1X0ox5kvEEDQ/cajxmkiq21WIlMzghrEKiBKa0YSr
L9R30yoL0oOa
-----END CERTIFICATE REQUEST-----
[ec2-user@ip-10-0-1-184 sub-ca]$ ls -l private/
total 4
-rw-rw-r-- 1 ec2-user ec2-user 1834 Aug 15 12:09 sub-ca.key
[ec2-user@ip-10-0-1-184 sub-ca]$ cat private/sub-ca.key
-----BEGIN ENCRYPTED PRIVATE KEY-----
(snipped)
-----END ENCRYPTED PRIVATE KEY-----
[ec2-user@ip-10-0-1-184 sub-ca]$ openssl ca -config ../root-ca/root-ca.conf -in sub-ca.csr -out sub-ca.crt -extensions sub_ca_ext
Using configuration from ../root-ca/root-ca.conf
Error opening CA private key ./private/root-ca.key
140556420482976:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('./private/root-ca.key','r')
140556420482976:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
unable to load CA private key
[ec2-user@ip-10-0-1-184 sub-ca]$ pwd
/home/ec2-user/test-ca/sub-ca
[ec2-user@ip-10-0-1-184 sub-ca]$ cd ../root-ca/
[ec2-user@ip-10-0-1-184 root-ca]$ openssl ca -config ../root-ca/root-ca.conf -in ../sub-ca/sub-ca.csr -out ../sub-ca/sub-ca.crt -extensions sub_ca_ext
Using configuration from ../root-ca/root-ca.conf
Enter pass phrase for ./private/root-ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e4:b2:30:7e:25:cb:29:34:dc:73:83:92:6a:0c:2b:c1
Issuer:
countryName = GB
organizationName = Example
commonName = Root CA
Validity
Not Before: Aug 15 12:12:54 2019 GMT
Not After : Aug 12 12:12:54 2029 GMT
Subject:
countryName = GB
organizationName = Example
commonName = Sub CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:f6:3b:22:1a:fd:c4:be:e3:20:7d:45:30:06:b5:
b5:32:45:5d:f7:ff:42:0f:f9:4f:66:6e:84:1c:7d:
8c:71:70:38:2b:8f:44:e1:66:a2:ec:b4:e1:0e:f9:
3d:2e:f4:22:1f:1c:87:a4:10:a8:4e:b1:a5:e1:6d:
84:62:77:76:73:76:7e:2c:1e:48:a7:e0:8f:7d:b2:
52:37:3b:b9:1a:fa:42:40:28:ac:0f:bd:75:f2:b5:
55:d0:5d:d0:c5:28:be:1b:04:5a:12:64:2f:40:7f:
a3:a6:5f:73:03:cf:cc:a8:de:12:02:7e:b8:a2:bf:
60:4c:4e:ec:96:11:e1:46:72:39:4e:18:09:ad:18:
d5:4b:e2:d1:5b:12:e8:1f:9e:f9:f1:aa:fe:b2:f4:
b9:42:f2:c8:f1:95:80:dd:04:d4:68:3f:20:b1:1e:
3e:98:1b:70:35:3c:52:1f:c6:a0:33:db:d4:3e:ec:
cd:b8:6f:24:04:4f:86:de:7e:81:74:a6:04:3a:92:
20:3e:96:61:de:38:6c:7f:60:c9:1c:7c:d9:65:1c:
00:ac:87:6f:ef:5a:b8:b4:f5:bd:7b:24:82:52:33:
79:c9:a8:9e:51:78:43:0b:a0:69:17:81:f4:cf:ad:
bf:3b:e5:e1:8f:ac:6d:b0:8b:2b:43:02:84:08:9e:
97:91
Exponent: 65537 (0x10001)
X509v3 extensions:
Authority Information Access:
CA Issuers - URI:http://root-ca.example.com/root-ca.crt
OCSP - URI:http://ocsp.root-ca.example.com:9080
X509v3 Authority Key Identifier:
keyid:91:17:8D:20:E9:31:34:47:97:21:8B:28:61:62:32:61:A6:39:75:E3
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 CRL Distribution Points:
Full Name:
URI:http://root-ca.example.com/root-ca.crl
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Name Constraints:
Permitted:
DNS:example.com
DNS:example.org
Excluded:
IP:0.0.0.0/0.0.0.0
IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
X509v3 Subject Key Identifier:
D7:20:CA:47:69:F2:02:46:33:37:47:13:AF:C2:3C:F4:BD:4F:AA:60
Certificate is to be certified until Aug 12 12:12:54 2029 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[ec2-user@ip-10-0-1-184 root-ca]$ ls
certs db private root-ca.conf root-ca.crl root-ca.crt root-ca.csr
[ec2-user@ip-10-0-1-184 root-ca]$ ls -l certs/
total 16
-rw-rw-r-- 1 ec2-user ec2-user 6876 Aug 15 10:51 E4B2307E25CB2934DC7383926A0C2BC0.pem
-rw-rw-r-- 1 ec2-user ec2-user 6682 Aug 15 12:14 E4B2307E25CB2934DC7383926A0C2BC1.pem
[ec2-user@ip-10-0-1-184 root-ca]$ sha256sum certs/E4B2307E25CB2934DC7383926A0C2BC1.pem
9d60940125bda469ee0489f1d4f50baa20a969c6251ff96e0c90df936b06b340 certs/E4B2307E25CB2934DC7383926A0C2BC1.pem
[ec2-user@ip-10-0-1-184 root-ca]$ sha256sum ../sub-ca/sub-ca.crt
9d60940125bda469ee0489f1d4f50baa20a969c6251ff96e0c90df936b06b340 ../sub-ca/sub-ca.crt
[ec2-user@ip-10-0-1-184 root-ca]$ cat db/index
V 290812105055Z E4B2307E25CB2934DC7383926A0C2BC0 unknown /C=GB/O=Example/CN=Root CA
V 290812121254Z E4B2307E25CB2934DC7383926A0C2BC1 unknown /C=GB/O=Example/CN=Sub CA
[ec2-user@ip-10-0-1-184 root-ca]$ cd ../sub-ca/
[ec2-user@ip-10-0-1-184 sub-ca]$ ls
certs db index private sub-ca.conf sub-ca.crt sub-ca.csr
[ec2-user@ip-10-0-1-184 sub-ca]$ file sub-ca.crt
sub-ca.crt: ASCII text
[ec2-user@ip-10-0-1-184 sub-ca]$ cat sub-ca.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e4:b2:30:7e:25:cb:29:34:dc:73:83:92:6a:0c:2b:c1
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, O=Example, CN=Root CA
Validity
Not Before: Aug 15 12:12:54 2019 GMT
Not After : Aug 12 12:12:54 2029 GMT
Subject: C=GB, O=Example, CN=Sub CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:f6:3b:22:1a:fd:c4:be:e3:20:7d:45:30:06:b5:
b5:32:45:5d:f7:ff:42:0f:f9:4f:66:6e:84:1c:7d:
8c:71:70:38:2b:8f:44:e1:66:a2:ec:b4:e1:0e:f9:
3d:2e:f4:22:1f:1c:87:a4:10:a8:4e:b1:a5:e1:6d:
84:62:77:76:73:76:7e:2c:1e:48:a7:e0:8f:7d:b2:
52:37:3b:b9:1a:fa:42:40:28:ac:0f:bd:75:f2:b5:
55:d0:5d:d0:c5:28:be:1b:04:5a:12:64:2f:40:7f:
a3:a6:5f:73:03:cf:cc:a8:de:12:02:7e:b8:a2:bf:
60:4c:4e:ec:96:11:e1:46:72:39:4e:18:09:ad:18:
d5:4b:e2:d1:5b:12:e8:1f:9e:f9:f1:aa:fe:b2:f4:
b9:42:f2:c8:f1:95:80:dd:04:d4:68:3f:20:b1:1e:
3e:98:1b:70:35:3c:52:1f:c6:a0:33:db:d4:3e:ec:
cd:b8:6f:24:04:4f:86:de:7e:81:74:a6:04:3a:92:
20:3e:96:61:de:38:6c:7f:60:c9:1c:7c:d9:65:1c:
00:ac:87:6f:ef:5a:b8:b4:f5:bd:7b:24:82:52:33:
79:c9:a8:9e:51:78:43:0b:a0:69:17:81:f4:cf:ad:
bf:3b:e5:e1:8f:ac:6d:b0:8b:2b:43:02:84:08:9e:
97:91
Exponent: 65537 (0x10001)
X509v3 extensions:
Authority Information Access:
CA Issuers - URI:http://root-ca.example.com/root-ca.crt
OCSP - URI:http://ocsp.root-ca.example.com:9080
X509v3 Authority Key Identifier:
keyid:91:17:8D:20:E9:31:34:47:97:21:8B:28:61:62:32:61:A6:39:75:E3
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 CRL Distribution Points:
Full Name:
URI:http://root-ca.example.com/root-ca.crl
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Name Constraints:
Permitted:
DNS:example.com
DNS:example.org
Excluded:
IP:0.0.0.0/0.0.0.0
IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
X509v3 Subject Key Identifier:
D7:20:CA:47:69:F2:02:46:33:37:47:13:AF:C2:3C:F4:BD:4F:AA:60
Signature Algorithm: sha256WithRSAEncryption
74:41:47:39:d2:ea:09:93:ed:d2:ee:6e:09:c6:e0:39:cc:ea:
39:85:41:a1:e4:78:4d:43:dd:1a:a3:78:26:cd:c3:0f:1a:45:
6b:53:a1:d8:e7:50:cb:1c:32:05:8a:4b:2a:b1:61:f7:c8:59:
8a:19:b6:7d:85:fc:a8:f6:54:60:d2:62:12:61:20:7e:07:38:
a6:8a:02:5d:49:c5:34:9b:48:ea:0e:31:20:85:ad:5a:0c:d2:
e6:29:45:2c:83:02:3d:50:d8:2b:da:87:10:73:63:db:c2:e6:
a6:6f:64:5c:5c:07:d9:1e:37:f3:23:d2:9c:de:f3:d4:a5:20:
1f:6e:f9:84:4a:33:7c:ab:f7:0c:09:ba:f8:a0:98:c0:d2:4d:
be:1b:3d:6e:53:1c:db:e2:93:0e:e3:bd:e9:2c:8b:11:fb:a1:
28:9c:cf:02:43:40:14:be:62:a2:5e:c3:82:e6:25:af:fb:bf:
5c:ff:bb:03:ee:fe:75:6a:b4:be:55:92:3f:3b:1b:c7:29:27:
ac:eb:82:d2:76:07:1d:2e:fa:f9:cc:d0:98:6b:b7:21:e7:79:
1d:03:fa:4c:00:7b:c5:fc:b9:16:86:c0:45:ec:92:1c:2e:67:
e0:88:c4:6f:85:5c:a1:a5:34:00:8f:2f:71:10:7c:15:13:8c:
63:d0:b3:e1:d5:47:e3:c6:e9:e5:23:6f:6d:5b:14:bd:18:b4:
70:30:83:10:ee:8e:a2:e2:0f:c2:cb:a9:38:0b:8c:f3:17:41:
d2:00:5d:c0:21:0e:b7:35:9f:c3:fa:d6:7d:d7:14:a5:18:95:
c1:11:88:0e:0f:c9:95:dd:2a:22:c4:66:cc:ba:49:4d:48:56:
83:5f:07:52:9e:c1:dd:c8:5e:96:e1:2f:06:a8:ba:e4:33:bf:
b1:d6:1f:e3:36:ab:11:bc:55:8a:34:ca:d4:69:76:54:9f:09:
3a:f0:5c:3d:6e:37:a5:57:b2:c8:b8:c8:87:4e:28:02:58:96:
58:e5:5c:37:a3:68:e4:a1:49:7f:ea:56:8f:cd:13:c1:15:8b:
71:b0:78:71:d2:d3:6f:45:5b:1e:65:da:3b:8d:76:1d:99:6f:
8b:42:5a:41:d8:c3:49:96:03:dd:50:29:cf:10:cf:2b:4e:ea:
b8:71:10:38:6c:cc:9b:9d:e2:58:67:69:27:e0:eb:4a:e9:dc:
8f:17:9a:b4:52:f0:27:59:df:4d:0e:09:98:64:46:c3:69:fb:
f2:d1:fa:e4:d2:4e:7b:7b:f7:79:96:86:67:01:35:23:a3:b5:
f7:aa:38:ac:cd:bf:d8:e8:3c:3d:9e:8e:6c:ca:3b:3f:c1:18:
55:76:00:2a:ce:78:f1:4a
-----BEGIN CERTIFICATE-----
MIIFgTCCA2mgAwIBAgIRAOSyMH4lyyk03HODkmoMK8EwDQYJKoZIhvcNAQELBQAw
MTELMAkGA1UEBhMCR0IxEDAOBgNVBAoMB0V4YW1wbGUxEDAOBgNVBAMMB1Jvb3Qg
Q0EwHhcNMTkwODE1MTIxMjU0WhcNMjkwODEyMTIxMjU0WjAwMQswCQYDVQQGEwJH
QjEQMA4GA1UECgwHRXhhbXBsZTEPMA0GA1UEAwwGU3ViIENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9jsiGv3EvuMgfUUwBrW1MkVd9/9CD/lPZm6E
HH2McXA4K49E4Wai7LThDvk9LvQiHxyHpBCoTrGl4W2EYnd2c3Z+LB5Ip+CPfbJS
Nzu5GvpCQCisD7118rVV0F3QxSi+GwRaEmQvQH+jpl9zA8/MqN4SAn64or9gTE7s
lhHhRnI5ThgJrRjVS+LRWxLoH5758ar+svS5QvLI8ZWA3QTUaD8gsR4+mBtwNTxS
H8agM9vUPuzNuG8kBE+G3n6BdKYEOpIgPpZh3jhsf2DJHHzZZRwArIdv71q4tPW9
eySCUjN5yaieUXhDC6BpF4H0z62/O+Xhj6xtsIsrQwKECJ6XkQIDAQABo4IBkzCC
AY8wdAYIKwYBBQUHAQEEaDBmMDIGCCsGAQUFBzAChiZodHRwOi8vcm9vdC1jYS5l
eGFtcGxlLmNvbS9yb290LWNhLmNydDAwBggrBgEFBQcwAYYkaHR0cDovL29jc3Au
cm9vdC1jYS5leGFtcGxlLmNvbTo5MDgwMB8GA1UdIwQYMBaAFJEXjSDpMTRHlyGL
KGFiMmGmOXXjMBIGA1UdEwEB/wQIMAYBAf8CAQAwNwYDVR0fBDAwLjAsoCqgKIYm
aHR0cDovL3Jvb3QtY2EuZXhhbXBsZS5jb20vcm9vdC1jYS5jcmwwHQYDVR0lBBYw
FAYIKwYBBQUHAwIGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIBBjBbBgNVHR4EVDBS
oB4wDYILZXhhbXBsZS5jb20wDYILZXhhbXBsZS5vcmehMDAKhwgAAAAAAAAAADAi
hyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAdBgNVHQ4EFgQU1yDK
R2nyAkYzN0cTr8I89L1PqmAwDQYJKoZIhvcNAQELBQADggIBAHRBRznS6gmT7dLu
bgnG4DnM6jmFQaHkeE1D3RqjeCbNww8aRWtTodjnUMscMgWKSyqxYffIWYoZtn2F
/Kj2VGDSYhJhIH4HOKaKAl1JxTSbSOoOMSCFrVoM0uYpRSyDAj1Q2CvahxBzY9vC
5qZvZFxcB9keN/Mj0pze89SlIB9u+YRKM3yr9wwJuvigmMDSTb4bPW5THNvikw7j
veksixH7oSiczwJDQBS+YqJew4LmJa/7v1z/uwPu/nVqtL5Vkj87G8cpJ6zrgtJ2
Bx0u+vnM0JhrtyHneR0D+kwAe8X8uRaGwEXskhwuZ+CIxG+FXKGlNACPL3EQfBUT
jGPQs+HVR+PG6eUjb21bFL0YtHAwgxDujqLiD8LLqTgLjPMXQdIAXcAhDrc1n8P6
1n3XFKUYlcERiA4PyZXdKiLEZsy6SU1IVoNfB1Kewd3IXpbhLwaouuQzv7HWH+M2
qxG8VYo0ytRpdlSfCTrwXD1uN6VXssi4yIdOKAJYlljlXDejaOShSX/qVo/NE8EV
i3GweHHS029FWx5l2juNdh2Zb4tCWkHYw0mWA91QKc8QzytO6rhxEDhszJud4lhn
aSfg60rp3I8XmrRS8CdZ300OCZhkRsNp+/LR+uTSTnt793mWhmcBNSOjtfeqOKzN
v9joPD2ejmzKOz/BGFV2ACrOePFK
-----END CERTIFICATE-----
[ec2-user@ip-10-0-1-184 sub-ca]$
[ec2-user@ip-10-0-1-184 sub-ca]$ openssl genrsa -aes128 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
..........+++
.............+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[ec2-user@ip-10-0-1-184 sub-ca]$ ls
certs db index private server.key sub-ca.conf sub-ca.crt sub-ca.csr
[ec2-user@ip-10-0-1-184 sub-ca]$ cat server.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,BC124234D0840ADB821F0E84659687D8
(snipped)
-----END RSA PRIVATE KEY-----
[ec2-user@ip-10-0-1-184 sub-ca]$ file server.key
server.key: PEM RSA private key
[ec2-user@ip-10-0-1-184 sub-ca]$ openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:GB
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:Example
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:test.example.com
Email Address []:test@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[ec2-user@ip-10-0-1-184 sub-ca]$ openssl req -text -in server.csr -noout
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=GB, L=Default City, O=Example, CN=test.example.com/emailAddress=test@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b6:25:93:06:e1:d6:74:87:c5:7c:2f:94:1c:73:
e8:64:54:a0:e8:4b:b4:4e:a3:f9:09:12:c9:c0:82:
eb:bc:22:27:5b:d6:43:a6:39:c2:b7:73:5f:eb:9f:
93:28:98:f9:2b:89:2c:de:cb:70:eb:37:14:65:97:
86:03:7c:21:f8:b9:73:79:dc:a3:5a:80:8c:99:43:
0b:cb:a9:d4:9d:58:e2:ca:a6:a1:b8:cc:42:43:71:
53:6b:6e:62:e2:c3:7a:a4:56:30:5e:d7:b3:eb:c7:
5d:ee:d4:0f:4f:6a:0a:7a:29:cd:dc:4c:22:56:23:
7f:88:12:8e:63:85:98:c6:5b:a5:c1:a0:75:9a:07:
8d:cb:33:06:40:c0:c2:36:65:bf:14:5b:79:d4:f1:
e1:c1:c6:df:88:a1:4a:fa:20:70:f8:52:50:38:58:
07:af:20:14:ed:7b:11:a4:91:d2:56:91:8a:5e:0b:
47:cd:dd:43:8b:78:12:fa:a7:8e:12:ef:3c:13:0b:
35:60:3e:a2:d6:fb:6d:2b:65:6b:01:96:36:a8:c2:
67:d2:77:80:8b:4d:4c:74:06:50:e6:c3:53:59:32:
a3:0f:72:73:f6:26:96:14:05:6b:e4:ae:55:66:d2:
81:b0:13:16:a9:ac:dd:f4:65:ed:5a:2c:00:e8:7c:
74:5b
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
31:3a:9e:43:d8:e0:cf:94:91:99:ef:6e:d0:e8:87:17:3f:10:
a3:45:dc:0c:b5:15:a3:8f:b3:b6:df:b5:dd:f3:d8:f9:2a:86:
fd:d9:e0:e3:a1:e4:2f:84:51:c9:21:78:01:64:42:8c:1a:ab:
e0:34:f9:5b:b8:de:01:02:41:d0:3d:ed:5d:64:e9:ef:0b:d6:
0b:f7:3d:fc:08:c3:36:20:a7:63:f9:e1:45:e4:99:a7:f4:38:
79:ee:43:3b:25:6f:bd:68:42:9c:14:1e:c6:ae:65:f3:02:78:
93:f3:c4:1e:38:63:b5:cb:4a:cc:bd:53:bf:91:b6:34:1f:ca:
0c:e5:eb:a8:96:a3:d7:d8:a8:f0:51:85:14:78:64:75:73:86:
90:20:b7:a8:b5:54:0c:7f:d0:88:c2:8a:5a:6b:df:a8:0b:51:
9f:99:0c:fe:43:b7:4e:68:07:86:ee:90:f1:18:f8:20:16:b4:
44:cd:97:90:c6:d0:54:82:2e:01:1c:9d:2e:ae:6f:8c:46:4f:
dc:fb:cb:7d:19:a8:48:a9:f1:35:fb:92:33:73:d4:af:22:ff:
50:32:11:c7:1a:5f:24:7f:97:3d:37:4c:9d:1a:76:79:b5:92:
7c:e7:aa:e4:2a:04:19:2c:03:9b:9e:87:11:26:fc:9c:4b:60:
98:d1:30:8b
[ec2-user@ip-10-0-1-184 sub-ca]$
[ec2-user@ip-10-0-1-184 sub-ca]$ openssl ca -config sub-ca.conf -in server.csr -out server.crt -extensions server_ext
Using configuration from sub-ca.conf
Enter pass phrase for ./private/sub-ca.key:
./db/index: No such file or directory
unable to open './db/index'
139741968721824:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('./db/index','r')
139741968721824:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
[ec2-user@ip-10-0-1-184 sub-ca]$ ls
certs db index private server.csr server.key sub-ca.conf sub-ca.crt sub-ca.csr
[ec2-user@ip-10-0-1-184 sub-ca]$ mv index db/
[ec2-user@ip-10-0-1-184 sub-ca]$ openssl ca -config sub-ca.conf -in server.csr -out server.crt -extensions server_ext
Using configuration from sub-ca.conf
Enter pass phrase for ./private/sub-ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
21:4f:14:21:00:da:47:81:fc:46:bb:d8:08:f2:06:18
Issuer:
countryName = GB
organizationName = Example
commonName = Sub CA
Validity
Not Before: Aug 15 14:01:09 2019 GMT
Not After : Aug 14 14:01:09 2020 GMT
Subject:
countryName = GB
organizationName = Example
commonName = test.example.com
emailAddress = test@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b6:25:93:06:e1:d6:74:87:c5:7c:2f:94:1c:73:
e8:64:54:a0:e8:4b:b4:4e:a3:f9:09:12:c9:c0:82:
eb:bc:22:27:5b:d6:43:a6:39:c2:b7:73:5f:eb:9f:
93:28:98:f9:2b:89:2c:de:cb:70:eb:37:14:65:97:
86:03:7c:21:f8:b9:73:79:dc:a3:5a:80:8c:99:43:
0b:cb:a9:d4:9d:58:e2:ca:a6:a1:b8:cc:42:43:71:
53:6b:6e:62:e2:c3:7a:a4:56:30:5e:d7:b3:eb:c7:
5d:ee:d4:0f:4f:6a:0a:7a:29:cd:dc:4c:22:56:23:
7f:88:12:8e:63:85:98:c6:5b:a5:c1:a0:75:9a:07:
8d:cb:33:06:40:c0:c2:36:65:bf:14:5b:79:d4:f1:
e1:c1:c6:df:88:a1:4a:fa:20:70:f8:52:50:38:58:
07:af:20:14:ed:7b:11:a4:91:d2:56:91:8a:5e:0b:
47:cd:dd:43:8b:78:12:fa:a7:8e:12:ef:3c:13:0b:
35:60:3e:a2:d6:fb:6d:2b:65:6b:01:96:36:a8:c2:
67:d2:77:80:8b:4d:4c:74:06:50:e6:c3:53:59:32:
a3:0f:72:73:f6:26:96:14:05:6b:e4:ae:55:66:d2:
81:b0:13:16:a9:ac:dd:f4:65:ed:5a:2c:00:e8:7c:
74:5b
Exponent: 65537 (0x10001)
X509v3 extensions:
Authority Information Access:
CA Issuers - URI:http://sub-ca.example.com/sub-ca.crt
OCSP - URI:http://ocsp.sub-ca.example.com:9081
X509v3 Authority Key Identifier:
keyid:D7:20:CA:47:69:F2:02:46:33:37:47:13:AF:C2:3C:F4:BD:4F:AA:60
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://sub-ca.example.com/sub-ca.crl
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Key Identifier:
4A:7F:F1:0D:7B:C2:62:34:04:BC:71:E4:7D:63:13:A1:05:F6:09:0C
Certificate is to be certified until Aug 14 14:01:09 2020 GMT (365 days)
Sign the certificate? [y/n]:yy
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[ec2-user@ip-10-0-1-184 sub-ca]$ file server.crt
server.crt: ASCII text
[ec2-user@ip-10-0-1-184 sub-ca]$ cat server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
21:4f:14:21:00:da:47:81:fc:46:bb:d8:08:f2:06:18
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, O=Example, CN=Sub CA
Validity
Not Before: Aug 15 14:01:09 2019 GMT
Not After : Aug 14 14:01:09 2020 GMT
Subject: C=GB, O=Example, CN=test.example.com/emailAddress=test@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b6:25:93:06:e1:d6:74:87:c5:7c:2f:94:1c:73:
e8:64:54:a0:e8:4b:b4:4e:a3:f9:09:12:c9:c0:82:
eb:bc:22:27:5b:d6:43:a6:39:c2:b7:73:5f:eb:9f:
93:28:98:f9:2b:89:2c:de:cb:70:eb:37:14:65:97:
86:03:7c:21:f8:b9:73:79:dc:a3:5a:80:8c:99:43:
0b:cb:a9:d4:9d:58:e2:ca:a6:a1:b8:cc:42:43:71:
53:6b:6e:62:e2:c3:7a:a4:56:30:5e:d7:b3:eb:c7:
5d:ee:d4:0f:4f:6a:0a:7a:29:cd:dc:4c:22:56:23:
7f:88:12:8e:63:85:98:c6:5b:a5:c1:a0:75:9a:07:
8d:cb:33:06:40:c0:c2:36:65:bf:14:5b:79:d4:f1:
e1:c1:c6:df:88:a1:4a:fa:20:70:f8:52:50:38:58:
07:af:20:14:ed:7b:11:a4:91:d2:56:91:8a:5e:0b:
47:cd:dd:43:8b:78:12:fa:a7:8e:12:ef:3c:13:0b:
35:60:3e:a2:d6:fb:6d:2b:65:6b:01:96:36:a8:c2:
67:d2:77:80:8b:4d:4c:74:06:50:e6:c3:53:59:32:
a3:0f:72:73:f6:26:96:14:05:6b:e4:ae:55:66:d2:
81:b0:13:16:a9:ac:dd:f4:65:ed:5a:2c:00:e8:7c:
74:5b
Exponent: 65537 (0x10001)
X509v3 extensions:
Authority Information Access:
CA Issuers - URI:http://sub-ca.example.com/sub-ca.crt
OCSP - URI:http://ocsp.sub-ca.example.com:9081
X509v3 Authority Key Identifier:
keyid:D7:20:CA:47:69:F2:02:46:33:37:47:13:AF:C2:3C:F4:BD:4F:AA:60
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://sub-ca.example.com/sub-ca.crl
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Key Identifier:
4A:7F:F1:0D:7B:C2:62:34:04:BC:71:E4:7D:63:13:A1:05:F6:09:0C
Signature Algorithm: sha256WithRSAEncryption
2c:eb:95:bb:c2:eb:59:cf:27:fb:0a:50:ef:d1:b2:9f:d6:d9:
05:f6:33:25:04:0a:f7:31:4a:f3:a2:cb:65:4b:fd:56:0a:0b:
63:0b:dc:93:12:ed:45:da:7c:e7:fc:0a:07:ea:ff:19:b5:90:
c9:b3:81:4f:5d:e8:37:5d:f3:bc:d6:eb:94:86:37:1d:56:bc:
93:20:81:b8:4a:ec:69:c6:ba:f2:d4:f9:3a:6f:a3:b5:6a:4e:
42:9c:ff:f6:1a:a6:96:be:41:7a:13:31:b6:1d:66:af:56:10:
ad:b1:36:04:77:8f:5b:6d:17:a6:52:2a:8b:83:07:0f:d5:9c:
87:a9:c9:58:29:04:66:7b:d6:62:5d:b9:26:5f:e5:69:dc:79:
a5:87:5e:3e:da:22:57:30:55:a7:0d:10:08:7d:31:c9:4b:fa:
30:27:50:75:12:2b:86:be:c8:82:b0:0d:96:90:89:e0:21:1a:
13:dc:5b:27:b0:ba:0e:27:15:71:e8:82:21:55:b4:16:3a:c5:
ae:b9:5d:0d:ef:fe:c0:f8:01:98:78:07:2d:57:07:42:ea:63:
2d:75:f2:3e:3f:4e:7f:ca:8c:fd:01:0b:ac:6b:22:28:e9:e6:
4c:3c:4f:67:ac:11:6b:68:58:4e:3c:a1:43:09:66:1d:89:17:
6a:ef:1b:a2
-----BEGIN CERTIFICATE-----
MIIEQjCCAyqgAwIBAgIQIU8UIQDaR4H8RrvYCPIGGDANBgkqhkiG9w0BAQsFADAw
MQswCQYDVQQGEwJHQjEQMA4GA1UECgwHRXhhbXBsZTEPMA0GA1UEAwwGU3ViIENB
MB4XDTE5MDgxNTE0MDEwOVoXDTIwMDgxNDE0MDEwOVowWzELMAkGA1UEBhMCR0Ix
EDAOBgNVBAoMB0V4YW1wbGUxGTAXBgNVBAMMEHRlc3QuZXhhbXBsZS5jb20xHzAd
BgkqhkiG9w0BCQEWEHRlc3RAZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC2JZMG4dZ0h8V8L5Qcc+hkVKDoS7ROo/kJEsnAguu8Iidb
1kOmOcK3c1/rn5MomPkriSzey3DrNxRll4YDfCH4uXN53KNagIyZQwvLqdSdWOLK
pqG4zEJDcVNrbmLiw3qkVjBe17Prx13u1A9Pagp6Kc3cTCJWI3+IEo5jhZjGW6XB
oHWaB43LMwZAwMI2Zb8UW3nU8eHBxt+IoUr6IHD4UlA4WAevIBTtexGkkdJWkYpe
C0fN3UOLeBL6p44S7zwTCzVgPqLW+20rZWsBljaowmfSd4CLTUx0BlDmw1NZMqMP
cnP2JpYUBWvkrlVm0oGwExaprN30Ze1aLADofHRbAgMBAAGjggErMIIBJzBxBggr
BgEFBQcBAQRlMGMwMAYIKwYBBQUHMAKGJGh0dHA6Ly9zdWItY2EuZXhhbXBsZS5j
b20vc3ViLWNhLmNydDAvBggrBgEFBQcwAYYjaHR0cDovL29jc3Auc3ViLWNhLmV4
YW1wbGUuY29tOjkwODEwHwYDVR0jBBgwFoAU1yDKR2nyAkYzN0cTr8I89L1PqmAw
DAYDVR0TAQH/BAIwADA1BgNVHR8ELjAsMCqgKKAmhiRodHRwOi8vc3ViLWNhLmV4
YW1wbGUuY29tL3N1Yi1jYS5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUF
BwMBMA4GA1UdDwEB/wQEAwIFoDAdBgNVHQ4EFgQUSn/xDXvCYjQEvHHkfWMToQX2
CQwwDQYJKoZIhvcNAQELBQADggEBACzrlbvC61nPJ/sKUO/Rsp/W2QX2MyUECvcx
SvOiy2VL/VYKC2ML3JMS7UXafOf8Cgfq/xm1kMmzgU9d6Ddd87zW65SGNx1WvJMg
gbhK7GnGuvLU+Tpvo7VqTkKc//Yappa+QXoTMbYdZq9WEK2xNgR3j1ttF6ZSKouD
Bw/VnIepyVgpBGZ71mJduSZf5WnceaWHXj7aIlcwVacNEAh9MclL+jAnUHUSK4a+
yIKwDZaQieAhGhPcWyewug4nFXHogiFVtBY6xa65XQ3v/sD4AZh4By1XB0LqYy11
8j4/Tn/KjP0BC6xrIijp5kw8T2esEWtoWE48oUMJZh2JF2rvG6I=
-----END CERTIFICATE-----
If countryName of server.crt is different with one of sub-ca.crt, an error below happen.
[ec2-user@ip-10-0-1-184 sub-ca]$ openssl ca -config sub-ca.conf -in server.csr -out server.crt -extensions server_ext
Using configuration from sub-ca.conf
Enter pass phrase for ./private/sub-ca.key:
Check that the request matches the signature
Signature ok
The countryName field needed to be the same in the
CA certificate (GB) and the request (JP)
Also, if organizationName of server.crt is different with one of sub-ca.crt, an another error below happen.
[ec2-user@ip-10-0-1-184 sub-ca]$ openssl ca -config sub-ca.conf -in server.csr -out server.crt -extensions server_ext
Using configuration from sub-ca.conf
Enter pass phrase for ./private/sub-ca.key:
Check that the request matches the signature
Signature ok
The organizationName field needed to be the same in the
CA certificate (Example) and the request (Default Company Ltd)