Last active
January 20, 2021 10:36
-
-
Save rgherta/6fba73e15bb40f134e80b2eaa17a1892 to your computer and use it in GitHub Desktop.
simple private ca
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Creating a Private Certificate Authority | |
# https://www.feistyduck.com/library/openssl-cookbook/online/ch-openssl.html | |
# Template https://github.com/ivanr/bulletproof-tls/blob/master/private-ca/root-ca.conf | |
# The first part of the configuration file contains some basic CA information, such as the name and the base URL, and the components of the CA’s distinguished name. Because the syntax is flexible, information needs to be provided only once: | |
[default] | |
name = ca | |
default_ca = ca_default | |
name_opt = utf8,esc_ctrl,multiline,lname,align | |
[ca_dn] | |
countryName = "DE" | |
organizationName = "MyOrganization" | |
commonName = "Root Private CA" | |
#The second part directly controls the CA’s operation. For full information on each setting, consult the documentation for the ca command (man ca on the command line). Most of the settings are self-explanatory; we mostly tell OpenSSL where we want to keep our files. Because this root CA is going to be used only for the issuance of subordinate CAs, I chose to have the certificates valid for 10 years. For the signature algorithm, the secure SHA256 is used by default. | |
#The default policy (policy_c_o_match) is configured so that all certificates issued from this CA have the countryName and organizationName fields that match that of the CA. This wouldn’t be normally done by a public CA, but it’s appropriate for a private CA: | |
[ca_default] | |
home = ./ca | |
database = $home/certs.db | |
serial = $home/serial | |
#crlnumber = $home/db/crlnumber | |
#certificate = $home/$name.crt | |
#private_key = $home/private/$name.key | |
private_key = $home/ca.key | |
certificate = $home/ca.crt | |
RANDFILE = $home/random | |
new_certs_dir = $home | |
unique_subject = no | |
copy_extensions = none | |
default_days = 3650 | |
default_crl_days = 365 | |
default_md = sha256 | |
policy = policy_c_o_match | |
[policy_c_o_match] | |
countryName = match | |
stateOrProvinceName = optional | |
organizationName = match | |
organizationalUnitName = optional | |
commonName = supplied | |
emailAddress = optional | |
#The third part contains the configuration for the req command, which is going to be used only once, during the creation of the self-signed root certificate. The most important parts are in the extensions: the basicConstraints extension indicates that the certificate is a CA, and keyUsage contains the appropriate settings for this scenario: | |
[req] | |
default_bits = 4096 | |
x509_extensions = my_extensions | |
encrypt_key = yes | |
default_md = sha256 | |
utf8 = yes | |
string_mask = utf8only | |
prompt = no | |
distinguished_name = ca_dn | |
req_extensions = ca_ext | |
[ca_ext] | |
basicConstraints = critical,CA:true | |
keyUsage = critical,keyCertSign,cRLSign | |
subjectKeyIdentifier = hash | |
[ my_extensions ] | |
keyUsage=critical, digitalSignature, keyEncipherment, keyCertSign | |
basicConstraints=critical,CA:TRUE | |
extendedKeyUsage=critical,serverAuth | |
subjectKeyIdentifier = hash |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment