Creating a Certificate Authority (CA), Issuing and Renewing Certificates
27th Oct 2007, 11:53:58
How to create a certificate authority to self-sign certificates.
Updated 25th January 2009
Admission: Much of this information has been plagiarised from http://www.eclectica.ca/howto/ssl-cert-howto.php because I can never find it in my bookmarks and have to refer to if everytime I need to issue a certificate.
"Portions of this document researched and written by Marcus Redivo. Permission to use this document for any purpose is hereby granted, providing that the copyright information and this disclaimer is retained. Author accepts no responsibility for any consequences arising from the use of this information. Copyright © 1996, 2007 Marcus Redivo. All rights reserved."
Create the CA itself
You only have to do this once.
# cd /etc/ssl/certs # mkdir CA # cd CA # mkdir newcerts private # echo '01' >serial # touch index.txt
Create a configuration file for OpenSSL:
# vi openssl.cnf
# OpenSSL configuration file. # Establish working directory. dir = . [ req ] default_bits = 4096 # Size of keys default_keyfile = key.pem # name of generated keys default_md = md5 # message digest algorithm string_mask = nombstr # permitted characters distinguished_name = req_distinguished_name [ req_distinguished_name ] # Variable name Prompt string #---------------------- ---------------------------------- 0.organizationName = Organization Name (company) organizationalUnitName = Organizational Unit Name (department, division) emailAddress = Email Address emailAddress_max = 40 localityName = Locality Name (city, district) stateOrProvinceName = State or Province Name (full name) countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 commonName = Common Name (hostname, IP, or your name) commonName_max = 64 ############################################################################## # CHANGE THESE FOR YOUR OWN REQUIREMENTS, DON'T USE TOASTPUTER, STAFFORD ETC!! # # Default values for the above, for consistency and less typing. # Variable name Value #------------------------------ ------------------------------ 0.organizationName_default = Toastputer localityName_default = Stafford stateOrProvinceName_default = Staffordshire countryName_default = UK emailAddress_default = invalid.stocksy@toastputer.net # # END CHANGES ############################################################################## [ v3_ca ] basicConstraints = CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always [ v3_req ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash distinguished_name = req_distinguished_name req_extensions = v3_req [ ca ] default_ca = CA_default [ CA_default ] serial = $dir/serial database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/cacert.pem private_key = $dir/private/cakey.pem default_days = 365 default_md = md5 preserve = no email_in_dn = no nameopt = default_ca certopt = default_ca policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional
Create the CA certificate - 7300 days is 20 years, should be ample. Do not forget the password that it prompts you for. Use a strong password as the security of all your certs depends on it!
# openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 7300 -config ./openssl.cnf
Create and sign certificates for your applications.
# openssl req -new -nodes -out mx.toastputer.net-req.pem -config ./openssl.cnf # openssl ca -out mx.toastputer.net-cert.pem -config ./openssl.cnf -infiles mx.toastputer.net-req.pem # mv key.pem mx.toastputer.net-key.pem
Important: Make sure that the CN (common name) matches the FQDN (eg mx.toastputer.net) for the server you are installing the certificate on!
Some programs (like Postfix) like a separate cert.pem and key.pem file, in which case you can just copy the *-key.pem and *-cert.pem files to somewhere that the application can read them.
Other programs (like Apache) want the key and the certificate smooshed together. Smoosh away:
# cat mx.toastputer.net-key.pem mx.toastputer.net-cert.pem > mx.toastputer.net-key-cert.pem
Now copy the *-cert-key.pem somewhere and tell the program to use it.
Renewing certificates
Your certificates will expire one year after creation (if you specified -days 365 above). To renew them, you must revoke the old one and recreate the signing request:
# cd /etc/ssl/CA # grep 'CN=mx\.toastputer\.net' index.txt V 086056054153Z 0A unknown /C=UK/ST=Staffordshire/O=Toastputer/CN=mx.toastputer.net
The serial number is '0A', so we revoke newcerts/0A.pem:
# openssl ca -revoke newcerts/0A.pem -config ./openssl.cnf
Delete the old certs, but retain the old mx.toastputer.net-key.pem and mx.toastputer.net-req.pem then create the new cert:
# rm mx.toastputer.net-cert.pem mx.toastputer.net-cert-key.pem # openssl ca -out mx.toastputer.net-cert.pem -config ./openssl.cnf -infiles mx.toastputer.net-req.pem
Smoosh the key and the cert together, but only if the program using them requires it:
# cat mx.toastputer.net-key.pem mx.toastputer.net-cert.pem > mx.toastputer.net-key-cert.pem