How to create a working CA

We recently had a lab in school, where we had to create a certificate authority using openssl, which includes a index file containing all certificates issued by the CA. More information about the process can be found here.

  1. First create the directory:
    mkdir /CA
    cd /CA
  2. Copy and adopt the openssl.cnf existing on your system.
    cp /etc/ssl/openssl.cnf /CA/openssl.cnf
  3. Change at least the lines as indicated below:
    dir          = /CA
    certificate  = /YOUR-CA.crt # change the filename to something appropriate
    private_key  = /private/YOUR-CA.key # change the filename to something appropriate
    countryName        = match # change to supplied if you want to sign certs for other countries
    stateOrProviceName = match # change to supplied if you want to sign certs for other regions
    organizationName   = match # change to supplied if you want to sign certs for other organizations
  4. Now you need to create some folders and files…
    mkdir private newcerts certs
    touch index.txt
    echo 01 > serial
  5. With the basics in place, you can now create a private key for your CA. Change the filename to the same value you used in the openssl.cnf. If you want you can restrict the permissions on this key, as it should remain secret.
    openssl genrsa -aes256 -out private/YOUR-CA.key 8192
  6. The private key is now used to create the certificate for your CA. This certificate can be distributed, and should be imported into the browsers…
    openssl req -new -x509 -days 3650 -sha512 \
      -config /CA/openssl.cnf \
      -key private/YOUR-CA.key \
      -out YOUR-CA.crt
  7. Don’t forget to change the filenames to the right values. This root CA remains valid for 3650 days (10 years). Now you should have a working CA.

Time to sign some requests!

  1. If you need a certificate, you will first have to create a certificate signing request. The following command will create a private key, so run it on the machine that will use the certificate. If you want to use the certificate for a website, it is important to use the full domain name as CN.
    openssl req -newkey rsa:4096 -sha512 \
      -config /etc/ssl/openssl.cnf \
      -keyout /etc/ssl/private/MY-SITE.key \
      -out MY-SITE.req
  2. This request (MY-SITE.req) should transfered to the CA machine, e.g. via scp. The last step is to sign the request.
    openssl ca -config /CA/openssl.cnf \
      -infiles MY-SITE.req \
      -out MY-SITE.crt
  3. The resulting MY-SITE.crt file is the certificate which can now be used to secure communication with your machine.