Friday, December 24, 2010

How to create Certificate Authority using OpenSSL

The Certificate Authority (CA) is used to verify the authenticity of a certificate. Start by installing openssl package:
apt-get install openssl

Create Private Certificate Authority

  1. OpenSSL (version 0.9.8) is installed to path /usr/lib/ssl. The CA.sh script is not in search path, we are going to add it for just current session.
    export PATH=$PATH:/usr/lib/ssl/misc
    
  2. Let customize a bit configuration file (/usr/lib/ssl/openssl.cnf) that is used for certificate creation, but first make a backup copy. Make the following changes:
    ...
    [ req ]
    default_bits    = 2048
    ...
    [ req_distinguished_name ]
    countryName_default             = UA
    stateOrProvinceName_default     = LV
    0.organizationName_default      = XYZ Co
    ...
    
  3. Create a directory for all certificates (it can be any directory, we will create in home):
    mkdir ~/ca && cd ~/ca
    
  4. Answer few questions (hit enter to create a new when prompted for CA filename):
    ldap1:~/ca# CA.sh -newca
    CA certificate filename (or enter to create)
    
    Making CA certificate ...
    Generating a 2048 bit RSA private key
    ............+++
    ........+++
    writing new private key to './demoCA/private/./cakey.pem'
    Enter PEM pass phrase: **************
    Verifying - Enter PEM pass phrase: **************
    ...
    Country Name (2 letter code) [UA]:
    State or Province Name (full name) [LV]:
    Locality Name (eg, city) []:Lviv
    Organization Name (eg, company) [XYZ Co]:
    Organizational Unit Name (eg, section) []:
    Common Name (eg, YOUR name) []:XYZ Root CA
    Email Address []:
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    Using configuration from /usr/lib/ssl/openssl.cnf
    Enter pass phrase for ./demoCA/private/./cakey.pem: *****
    Check that the request matches the signature
    Signature ok
    Certificate Details:
    ...
    Write out database with 1 new entries
    Data Base Updated
    
  5. Secure Certificate Authority:
    chmod -R go-rwx ~/ca
    
Your Certificate Authority file is cacert.pem (it is located in ~/ca/demoCA directory).

No comments :

Post a Comment