Setting up Certificate Authority (CA) using OpenSSL

November 18th, 2005

OpenSSL command-line tools offer a lot of functionality. OpenSSL can generate private keys and their corresponding public key certificate requests, can sign those certificate requests, publish certificate revocation lists (CRLs), convert between several encoding formats like DER, PEM, PKCS#12, etc.

In this article I will describe how to use OpenSSL to set up a Certificate Authority (CA), how to generate private keys, generate certificate requests and sign them, using OpenSSL and the command-line on a Fedora Core 4 Linux system.

Configuring OpenSSL

Edit /etc/pki/tls/openssl.cnf and make sure the [ CA_default ] section looks like this:

[ CA_default ]

dir             = /etc/pki/CA           # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
unique_subject  = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
#crlnumber      = $dir/crlnumber        # the current crl number must be
                                        # commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt        = ca_default            # Subject Name options
cert_opt        = ca_default            # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions        = crl_ext

default_days    = 365                   # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = sha1                  # which md to use.
preserve        = no                    # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that.
policy          = policy_match

Creating the Certificate Authority (CA)

This step will create the CA private key and a self-signed certificate (the CA certificate).

The CA certificate will be stored in /etc/pki/CA/cacert.pem, while the CA private key will be stored in /etc/pki/CA/private/cakey.pem:

openssl req -new -x509 -days 365 -newkey rsa:1024 \
  -keyout /etc/pki/CA/private/cakey.pem \
  -out /etc/pki/CA/cacert.pem
chmod 600 /etc/pki/CA/private/cakey.pem

A copy of every signed certificate will be stored into /etc/pki/CA/newcerts, with a name matching the certificate serial number plus the .pem extension:

mkdir /etc/pki/CA/newcerts

The /etc/pki/CA/index.txt file holds a log of every signed certificate:

touch /etc/pki/CA/index.txt

The /etc/pki/CA/serial file holds the next available X.509 serial number:

echo 01 > /etc/pki/CA/serial

Generating a certificate request and its corresponding private key

The following command will generate a random, 1024-bit private RSA key and its corresponding public key will be wrapped into a PEM-encoded certificate. This certificate is still unsigned and will be submitted later to the CA for signing:

openssl req -new -days 365 -newkey rsa:1024 \
  -keyout /etc/pki/CA/sslkey.pem
  -out /etc/pki/CA/sslcert.pem

The private key will get written to /etc/pki/CA/sslkey.pem while the public key, encoded inside an unsigned certificate, will get written to /etc/pki/CA/sslcert.pem.

The -nodes option can be used to avoid using a pass-phrase to protect the private key. This is optional, but some applications are unable to read the private key if it was protected by a pass-phrase, while others like FreeRADIUS can do so with no problems at all.

Signing a certificate

To sign a certificate stored in /etc/pki/CA/sslcert.pem, use the following command:

openssl ca -in /etc/pki/CA/sslcert.pem -out /etc/pki/CA/cert.pem

The resulting signed certificate will get outputted to /etc/pki/CA/cert.pem. Once the certificate has been signed, the unsigned certificate can be safely deleted.

Posted in OpenSSL, Security, X.509 | 12 Comments »

12 Responses to “Setting up Certificate Authority (CA) using OpenSSL”

  1. Chris Hapgood Says:
    January 28th, 2006 at 3:22 AM

    This is a spectacularly well targeted entry for me: I have FC4 and am trying to get a CA working to sign my own certificates for dovecot, apache, etc.

    One minor area for improvment: document the differences between your example config file and the default. Specifically, the base directory and signing algorithm. Why make those changes?

    THanks!

  2. Felipe Alfaro Solana Says:
    January 28th, 2006 at 5:11 AM

    Thanks!

    I guess I will make a diff file to ilustrate the differences between FC4′s default CA configuration file and this post’s one.

    WRT the base directory, I modified it since FC4′s default is a relative path, which causes problems when invoking openssl from a directory other than /etc/pki/tls.

    However, I can’t remember changing the default signing algorithm. Are you sure it is different from FC4′s default value?

  3. Eduardo Diaz Says:
    January 4th, 2007 at 2:10 PM

    Claro y conciso, muy bueno, en pocas líneas me ha aclarado todo el proceso.

    Gracias.

  4. Dennis Underwood Says:
    April 8th, 2007 at 2:43 AM

    Outstanding howto! I used this to create a CA, etc. for openssl on an OpenWRT router. For those looking to do the same thing, change the dir variable to /etc/ssl, and just adjust his directions for the new directory location to work with.

  5. Wenny Wang Says:
    April 26th, 2007 at 10:15 PM

    great document, thanks for sharing

  6. SalimSaay Says:
    March 6th, 2008 at 11:02 AM

    Dear Chris Hapgood,
    this directory that you write here such as “= /etc/pki/CA “, and others is not present here, we three things, inside of ssl. /etc/ssl/private
    /etc/ssl/cert
    /etc/ssl/openssl.conf
    so it needs to create those new directories?
    or we can configure to inside of default directories?

  7. Felipe Alfaro Solana Says:
    May 10th, 2009 at 6:13 PM

    You can also use /etc/ssl instead of /etc/pki/CA but please make sure the private/ directory is properly secured.

  8. Felipe Alfaro Solana Says:
    May 10th, 2009 at 6:13 PM

    You can also use /etc/ssl instead of /etc/pki/CA but please make sure the private/ directory is properly secured.

  9. Maddie Ballestas Says:
    November 25th, 2011 at 8:30 PM

    How long have you been blogging for? you make blogging look easy. The overall look of your website is magnificent, let alone the content! I am not sure where you’re getting your info, but great topic. I needs to spend some time learning more or understanding more.

  10. Kerry Liuzza Says:
    December 21st, 2011 at 6:45 PM

    ANG ABS CBN # 1 PUSO NG PILIPINO SA BUONG MUNDO!!! YUN ANG TOTOO, pero ang ABS CBN HINDI # 1 SA BUONG MUNDO!

  11. Paula Preciado Says:
    December 27th, 2011 at 1:02 PM

    Aw, this was a really nice post. In thought I want to put in writing like this moreover – taking time and actual effort to make a very good article… however what can I say… I procrastinate alot and by no means appear to get something done.

  12. Beverley Birt Says:
    January 9th, 2012 at 12:39 PM

    Nobody can take my joy. I have some of the most incredible fans in the world. Goodnight y’all!

Leave a Reply