fr
enThis is an old revision of the document!
Table of Contents
OpenSSL
OpenSSL is a library and PKI manager under GPL. It's quite basic and light.
Installation
The following packages are required :
- openssl
Public/Private Key mecanism
An asymetric key is a pair of key :
- a public key
- a private key
Keys are complementary, any data encrypted by the private key can be read with the public key, any data encrypted with the public key can only be read with the private key.
The goal of the certificate is to prove the identity of the public key. The Certificate Autority vouch that the public key belong to the given website.
A certificate is signed by the private key of the Certificate Autority, the browser use the public key of the CA to check the validity of the website certificate.
Create a self signed certificate
How to generate a simple self-signed certificate :
Generate the RSA key
Command :
openssl genrsa -out newkey.key 1024
Example :
:/etc/ssl/demo# openssl genrsa -out newkey.key 1024 Generating RSA private key, 1024 bit long modulus .......................++++++ .............................................++++++ e is 65537 (0x10001) :/etc/ssl/demo# chmod 700 newkey.key :/etc/ssl/demo# l total 4 -rwx------ 1 root root 891 2007-12-09 22:05 newkey.key :/etc/ssl/demo#
Generate a self-signed certificate
Command :
openssl req -new -x509 -days 365 -key newkey.key -out newcert.crt
Example :
:/etc/ssl/demo# openssl req -new -x509 -days 365 -key newkey.key -out newcert.crt You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [FR]: State or Province Name (full name) [France]: Locality Name (eg, city) []: Organization Name (eg, company) [Matthieu Bouthors]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:demo.bouthors.fr Email Address [matthieu@bouthors.fr]: :/etc/ssl/demo#
Create a certificate request
How to generate a certificate request (CSR) :
Genereate the RSA key
Command :
openssl genrsa -out newkey.key 1024
Example :
:/etc/ssl/demo# openssl genrsa -out newkey.key 1024 Generating RSA private key, 1024 bit long modulus .......................++++++ .............................................++++++ e is 65537 (0x10001) :/etc/ssl/demo# chmod 700 newkey.key :/etc/ssl/demo# l total 4 -rwx------ 1 root root 891 2007-12-09 22:05 newkey.key :/etc/ssl/demo#
Generate the certificate request
Command :
openssl req -new -key newkey.key -out newcsr.csr
Example :
:/etc/ssl/demo# openssl req -new -key newkey.key -out newcsr.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [FR]: State or Province Name (full name) [France]: Locality Name (eg, city) []: Organization Name (eg, company) [Matthieu Bouthors]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:demo.bouthors.fr Email Address [matthieu@bouthors.fr]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: :/etc/ssl/demo#
Sign a certificate with a second one
How to sign a certificate with a CA.
This method doesn't allow to manage a Certificate Revocation List (CRL)
Command :
openssl x509 -req -days 3653 -in newcsr.csr -CA cacrt.crt -CAkey cakey.key -CAserial caserial.srl -CAcreateserial -out newcrt.crt
Example :
:/etc/ssl/demo# openssl x509 -req -days 3653 -in newcsr.csr -CA demoCA.crt -CAkey demoCA.key -CAserial caserial.srl -CAcreateserial -out newcrt.crt
Signature ok
subject=/C=FR/ST=France/O=Matthieu Bouthors/CN=demo.bouthors.fr/emailAddress=matthieu@bouthors.fr
Getting CA Private Key
:/etc/ssl/demo# openssl x509 -in newcrt.crt -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
c7:0f:53:50:1c:e4:e8:e7
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=FR, ST=France, O=Matthieu Bouthors, OU=Demo Root CA/emailAddress=matthieu@bouthors.fr
Validity
Not Before: Dec 9 21:48:28 2007 GMT
Not After : Dec 9 21:48:28 2017 GMT
Subject: C=FR, ST=France, O=Matthieu Bouthors, CN=demo.bouthors.fr/emailAddress=matthieu@bouthors.fr
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:96:78:c6:27:c7:50:d6:d5:a3:42:24:d2:bf:b2:
9c:34:98:c5:1c:6d:92:96:65:66:2e:6e:18:d7:0b:
09:2d:02:91:51:5c:3a:b5:fe:e8:93:c6:0d:02:88:
b6:d0:d6:7e:44:12:bb:8c:e6:cc:fe:5d:81:27:50:
d5:07:2e:a8:f8:b3:f4:4a:e3:6d:1a:77:b5:28:13:
f5:93:1e:57:2b:93:64:f2:e4:e1:cd:2f:e2:3e:9a:
b9:d6:89:64:cc:2c:a4:b1:5a:2f:24:7a:06:df:0c:
16:be:e3:6f:e2:25:0d:eb:f3:45:9e:40:95:74:c4:
2c:ee:02:25:47:39:17:9b:57
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
86:f4:ec:01:68:54:c7:da:cb:d5:4b:2c:7d:53:90:06:a0:5c:
24:00:cf:54:01:49:3d:6d:28:2a:7c:6e:77:99:2c:74:50:a6:
a4:68:0e:ff:0b:1e:8c:8a:58:99:64:7a:06:f6:95:49:31:7d:
cf:3d:a2:e2:71:f1:a1:32:05:d0:63:9a:7f:d0:6b:43:85:00:
6e:74:2e:ae:2d:da:47:8b:fc:b4:ec:4e:df:ae:99:e4:c2:35:
9c:d3:fd:6a:8c:c3:32:7d:be:34:f7:3d:2b:94:04:1c:ff:c7:
d0:a0:bb:23:ea:a6:71:79:3f:49:32:6f:00:b8:c8:8a:47:88:
25:43
:/etc/ssl/demo#
View a certificate
Some useful commands to view details about certificates.
View details of a certifiate
Command :
# openssl x509 -in cert.crt -text -noout
Example :
:/etc/ssl/demo# openssl x509 -in newcert.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
9e:54:95:05:59:64:4d:48
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=FR, ST=France, O=Matthieu Bouthors, CN=demo.bouthors.fr/emailAddress=matthieu@bouthors.fr
Validity
Not Before: Dec 9 21:07:01 2007 GMT
Not After : Dec 8 21:07:01 2008 GMT
Subject: C=FR, ST=France, O=Matthieu Bouthors, CN=demo.bouthors.fr/emailAddress=matthieu@bouthors.fr
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:96:78:c6:27:c7:50:d6:d5:a3:42:24:d2:bf:b2:
9c:34:98:c5:1c:6d:92:96:65:66:2e:6e:18:d7:0b:
09:2d:02:91:51:5c:3a:b5:fe:e8:93:c6:0d:02:88:
b6:d0:d6:7e:44:12:bb:8c:e6:cc:fe:5d:81:27:50:
d5:07:2e:a8:f8:b3:f4:4a:e3:6d:1a:77:b5:28:13:
f5:93:1e:57:2b:93:64:f2:e4:e1:cd:2f:e2:3e:9a:
b9:d6:89:64:cc:2c:a4:b1:5a:2f:24:7a:06:df:0c:
16:be:e3:6f:e2:25:0d:eb:f3:45:9e:40:95:74:c4:
2c:ee:02:25:47:39:17:9b:57
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
C5:10:29:AD:F2:72:C1:92:5C:2A:7B:CD:AF:60:6B:65:3B:C8:DF:F9
X509v3 Authority Key Identifier:
keyid:C5:10:29:AD:F2:72:C1:92:5C:2A:7B:CD:AF:60:6B:65:3B:C8:DF:F9
DirName:/C=FR/ST=France/O=Matthieu Bouthors/CN=demo.bouthors.fr/emailAddress=matthieu@bouthors.fr
serial:9E:54:95:05:59:64:4D:48
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
3b:3c:80:22:e7:87:e4:25:2a:32:f1:1c:18:5a:67:60:f4:fa:
7a:83:d1:6a:5a:41:6d:64:18:7d:5c:5b:69:a1:72:c4:c3:b0:
8f:b0:ab:c0:a1:07:98:a1:1f:b2:da:fd:63:3b:07:2f:de:58:
17:01:f9:5d:a8:f8:56:b9:3a:e9:92:32:2f:94:be:e7:46:09:
b2:9e:80:e8:e6:0e:35:d7:74:73:c5:f0:a9:80:8c:30:26:40:
d4:f1:53:4f:68:5c:d0:0c:37:a5:d8:79:07:04:a5:09:9d:61:
54:16:84:9b:0b:ba:1e:4f:6c:3a:46:2d:e7:50:77:b4:41:d6:
c3:9d
:/etc/ssl/demo#
View details of a certificate request (CSR)
Command :
openssl req -in newcsr.csr -text -noout
Example :
:/etc/ssl/ca_bouthors.fr/csr# openssl req -in www.bouthors.fr.csr -text -noout
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=FR, ST=France, O=Matthieu Bouthors, CN=www.bouthors.fr/emailAddress=matthieu@bouthors.fr
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:f2:e6:e0:5c:20:76:ab:45:34:a0:46:64:9e:26:
9a:d6:f7:a0:9a:c4:37:dc:7a:88:4d:22:b4:f6:7c:
4f:43:21:8a:91:7d:ec:46:af:2b:58:28:2f:e5:ce:
90:12:c1:ed:39:31:07:0f:8e:0f:40:27:43:05:6b:
05:d8:1a:41:fe:a1:c3:2f:0d:42:5c:26:b6:00:b2:
60:87:98:b9:cd:e2:5e:4a:ad:ab:db:ed:ec:92:4c:
21:29:08:a5:c4:83:85:bf:a0:c6:97:a4:37:97:0c:
ce:1a:ed:7b:62:3b:84:6d:3f:81:da:d8:1f:62:ab:
94:60:74:ee:55:98:49:31:3f
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
96:92:07:7c:88:f0:39:c6:2c:67:df:43:80:fa:22:5e:76:85:
84:c6:54:e4:7c:53:f1:ea:a9:98:1d:e0:13:45:83:0c:73:c9:
81:ad:96:69:da:ef:e5:c4:c6:79:45:5d:1e:85:7e:5f:29:4a:
f0:92:ce:4e:6b:71:65:41:23:83:23:44:27:ed:5e:b2:4c:14:
43:ff:86:6e:68:9d:29:66:fd:7a:d1:46:9f:73:64:37:6d:f4:
83:ff:f2:00:45:dc:b1:54:7d:7c:64:3f:0b:6a:96:64:a2:e0:
9b:ae:22:f4:6a:24:3f:4d:c2:ff:f3:57:15:89:6d:2d:ee:7f:
f8:b5
:/etc/ssl/ca_bouthors.fr/csr#
Create a mini Certificate Autority (CA)
We will now create a CA to sign some certificates. This CA will be stored into /etc/ssl/ca_bouthors.fr/
The command openssl ca allows to manage a CA.
Modify the configuration file
Before starting, we need to configure the openssl config file because all parameters aren't available on the command line. The simpliest way is to create a new section inside /etc/ssl/openssl.cnf and to modify it.
Some custom parameters :
- CA folder
dir = /etc/ssl/ca_bouthors.fr
- duration of each certificate
default_days = 3653
- how many days the crl is valid
default_crl_days= 365
- some default parameters for certificate generation
countryName_default = FR stateOrProvinceName_default = France 0.organizationName_default = Matthieu Bouthors emailAddress_default = matthieu@bouthors.fr
- CRL extensions :
nsCaRevocationUrl = http://www.bouthors.fr/ca/ca_bouthors.fr.crl crlDistributionPoints = URI:http://www.bouthors.fr/ca/ca_bouthors.fr.crl issuerAltName = URI:http://www.bouthors.fr/ca/ca_bouthors.fr.crt
####################################################################
[ CA_BOUTHORS.FR ]
dir = /etc/ssl/ca_bouthors.fr # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 3653 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha1 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = FR
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = France
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Matthieu Bouthors
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
emailAddress_default = matthieu@bouthors.fr
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
nsCaRevocationUrl = http://www.bouthors.fr/ca/ca_bouthors.fr.crl
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
crlDistributionPoints = URI:http://www.bouthors.fr/ca/ca_bouthors.fr.crl
issuerAltName = URI:http://www.bouthors.fr/ca/ca_bouthors.fr.crt
Don't forge to change the default config :
default_ca = CA_BOUTHORS.FR # The default ca section
Create the folders
:/etc/ssl# mkdir ca_bouthors.fr :/etc/ssl# cd ca_bouthors.fr :/etc/ssl/ca_bouthors.fr# mkdir certs :/etc/ssl/ca_bouthors.fr# mkdir crl :/etc/ssl/ca_bouthors.fr# touch index.txt :/etc/ssl/ca_bouthors.fr# mkdir newcerts :/etc/ssl/ca_bouthors.fr# echo "01" > serial :/etc/ssl/ca_bouthors.fr# echo "01" > crlnumber :/etc/ssl/ca_bouthors.fr# mkdir private :/etc/ssl/ca_bouthors.fr# chmod 700 private/ :/etc/ssl/ca_bouthors.fr# l total 24 drwxr-xr-x 2 root root 4096 2007-12-09 21:54 certs drwxr-xr-x 2 root root 4096 2007-12-09 21:55 crl -rw-r--r-- 1 root root 3 2007-12-09 21:55 crlnumber -rw-r--r-- 1 root root 0 2007-12-09 21:55 index.txt drwxr-xr-x 2 root root 4096 2007-12-09 21:55 newcerts drwx------ 2 root root 4096 2007-12-09 21:55 private -rw-r--r-- 1 root root 3 2007-12-09 21:55 serial :/etc/ssl/ca_bouthors.fr#
Create the CA
Generate a self signed ceritificate, as explained here : Create a self signed certificate
:/etc/ssl/ca_bouthors.fr# cd private/
:/etc/ssl/ca_bouthors.fr/private# openssl genrsa -out cakey.pem 1024
Generating RSA private key, 1024 bit long modulus
.......................................................++++++
........++++++
e is 65537 (0x10001)
:/etc/ssl/ca_bouthors.fr/private# cd ..
:/etc/ssl/ca_bouthors.fr# openssl req -new -x509 -days 3653 -key private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [France]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Matthieu Bouthors]:
Organizational Unit Name (eg, section) []:bouthors.fr Root CA
Common Name (eg, YOUR name) []:
Email Address [matthieu@bouthors.fr]:
:/etc/ssl/ca_bouthors.fr# openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
92:56:59:7f:4d:35:2a:0d
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=FR, ST=France, O=Matthieu Bouthors, OU=bouthors.fr Root CA/emailAddress=matthieu@bouthors.fr
Validity
Not Before: Dec 9 21:00:35 2007 GMT
Not After : Dec 9 21:00:35 2017 GMT
Subject: C=FR, ST=France, O=Matthieu Bouthors, OU=bouthors.fr Root CA/emailAddress=matthieu@bouthors.fr
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b2:15:0c:cf:c9:ff:f1:a2:5c:39:83:49:db:9d:
1a:86:c3:38:cb:d9:c6:f4:3d:7d:ae:bf:cc:11:f7:
3f:b3:f2:e6:cf:1d:aa:b1:0d:5f:3a:f7:51:d5:77:
43:75:9f:65:1d:86:7d:de:0b:c9:39:77:37:60:14:
85:43:ec:b3:4f:35:eb:24:97:02:68:08:89:26:8d:
35:c0:bd:b4:cb:12:de:4e:74:8f:17:c6:31:27:aa:
ff:9e:eb:a7:80:3f:8f:f6:99:f4:08:06:a2:2f:81:
7d:03:bd:cd:37:0f:c4:d7:5f:87:f7:b1:8e:90:ee:
f2:92:ae:bf:79:3a:b1:c5:31
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
3C:58:19:1E:8E:44:FA:D4:13:F5:20:EE:F5:FE:83:36:01:8F:CE:0A
X509v3 Authority Key Identifier:
keyid:3C:58:19:1E:8E:44:FA:D4:13:F5:20:EE:F5:FE:83:36:01:8F:CE:0A
DirName:/C=FR/ST=France/O=Matthieu Bouthors/OU=bouthors.fr Root CA/emailAddress=matthieu@bouthors.fr
serial:92:56:59:7F:4D:35:2A:0D
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
2d:05:0f:7c:9a:74:e6:0e:e1:77:71:76:8b:9a:81:7c:44:58:
78:fd:76:3f:c4:cb:39:08:f9:d8:9e:b7:43:b4:64:91:9f:b0:
27:1e:b4:5f:69:67:2d:60:11:18:14:52:27:d4:96:e5:cb:ab:
ef:7c:5f:ca:6f:e9:ba:b5:f1:e3:b8:52:37:ec:48:51:92:ca:
d7:e0:6b:ee:45:c2:56:e1:49:04:d4:77:45:fa:45:af:b8:c8:
44:ee:b5:e6:a0:17:ed:8c:32:aa:ea:b1:93:31:e6:fa:6e:55:
a3:4a:6f:41:8d:5d:1d:e0:c0:bd:34:e1:45:de:cd:a6:83:74:
ba:6a
:/etc/ssl/ca_bouthors.fr#
Generate a new CSR
As explained here :Generate the certificate request.
Example :
:/etc/ssl/ca_bouthors.fr/private# openssl genrsa -out www.bouthors.fr.key 1024 Generating RSA private key, 1024 bit long modulus ..................++++++ ......++++++ e is 65537 (0x10001) :/etc/ssl/ca_bouthors.fr/private# cd .. :/etc/ssl/ca_bouthors.fr# mkdir csr :/etc/ssl/ca_bouthors.fr# cd csr/ :/etc/ssl/ca_bouthors.fr/csr# openssl req -new -key ../private/www.bouthors.fr.key -out www.bouthors.fr.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [FR]: State or Province Name (full name) [France]: Locality Name (eg, city) []: Organization Name (eg, company) [Matthieu Bouthors]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:www.bouthors.fr Email Address [matthieu@bouthors.fr]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: :/etc/ssl/ca_bouthors.fr/csr#
Sign the CSR with the CA
Command :
openssl ca -in newcsr.csr -out newcert.pem
Example :
:/etc/ssl/ca_bouthors.fr# openssl ca -in csr/www.bouthors.fr.csr -out certs/www.bouthors.fr.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 9 21:18:59 2007 GMT
Not After : Dec 9 21:18:59 2017 GMT
Subject:
countryName = FR
stateOrProvinceName = France
organizationName = Matthieu Bouthors
commonName = www.bouthors.fr
emailAddress = matthieu@bouthors.fr
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B6:7D:88:57:81:55:42:29:EB:A9:B6:21:D0:95:9F:E6:A8:71:F0:AC
X509v3 Authority Key Identifier:
keyid:3C:58:19:1E:8E:44:FA:D4:13:F5:20:EE:F5:FE:83:36:01:8F:CE:0A
Netscape CA Revocation Url:
http://www.bouthors.fr/ca/ca_bouthors.fr.crl
X509v3 CRL Distribution Points:
URI:http://www.bouthors.fr/ca/ca_bouthors.fr.crl
X509v3 Issuer Alternative Name:
URI:http://www.bouthors.fr/ca/ca_bouthors.fr.crt
Certificate is to be certified until Dec 9 21:18:59 2017 GMT (3653 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
:/etc/ssl/ca_bouthors.fr#
Generate the CRL
Commanda :
openssl ca -gencrl -out crl.pem
Example :
:/etc/ssl/ca_bouthors.fr# openssl ca -gencrl -out crl.pem
Using configuration from /usr/lib/ssl/openssl.cnf
:/etc/ssl/ca_bouthors.fr# openssl crl -in crl.pem -text -noout
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=FR/ST=France/O=Matthieu Bouthors/OU=bouthors.fr Root CA/emailAddress=matthieu@bouthors.fr
Last Update: Dec 9 21:21:10 2007 GMT
Next Update: Jan 8 21:21:10 2008 GMT
CRL extensions:
X509v3 CRL Number:
1
No Revoked Certificates.
Signature Algorithm: sha1WithRSAEncryption
57:a6:92:1d:39:18:83:4e:da:44:93:fd:73:c3:1c:ab:15:a1:
8b:a4:d0:4d:71:69:cc:9d:b5:84:47:48:c1:f7:75:f5:dd:ee:
20:1b:90:9f:3a:99:56:a1:6e:04:0f:b7:4f:49:c3:e3:20:77:
db:8b:da:a6:df:0e:42:6d:e9:a5:b6:80:63:ed:f7:64:18:40:
43:59:58:68:c5:83:9b:2d:db:e2:ab:eb:74:09:8c:89:15:c5:
31:95:4d:d9:73:d8:d2:3d:f1:b1:25:85:46:9b:3c:c9:35:fd:
f1:30:1d:80:19:c8:9e:dd:4e:2d:17:7e:bb:fc:04:c8:a8:ac:
62:5a
:/etc/ssl/ca_bouthors.fr#
Revoke a certificate
To revoke a certificate, you need to know his serial number. By default, openssl store certificates inside /newcerts.
Command :
openssl ca -revoke newcerts/XX.pem
Example :
:/etc/ssl/ca_bouthors.fr# openssl ca -revoke newcerts/01.pem Using configuration from /usr/lib/ssl/openssl.cnf Revoking Certificate 01. Data Base Updated :/etc/ssl/ca_bouthors.fr#
Then you need to generate the CRL like this :
ender:/etc/ssl/ca_bouthors.fr# openssl ca -gencrl -out crl.pem
Using configuration from /usr/lib/ssl/openssl.cnf
:/etc/ssl/ca_bouthors.fr# openssl crl -in crl.pem -text -noout
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=FR/ST=France/O=Matthieu Bouthors/OU=bouthors.fr Root CA/emailAddress=matthieu@bouthors.fr
Last Update: Dec 9 21:36:34 2007 GMT
Next Update: Jan 8 21:36:34 2008 GMT
CRL extensions:
X509v3 CRL Number:
3
Revoked Certificates:
Serial Number: 01
Revocation Date: Dec 9 21:36:12 2007 GMT
Signature Algorithm: sha1WithRSAEncryption
15:78:28:8f:da:96:27:40:82:4c:8a:9c:7f:ab:d3:7b:bb:b9:
18:25:e2:d1:6d:17:5f:fd:73:a3:0e:8f:3f:ee:9e:4b:38:3a:
a4:46:be:79:33:37:8a:e7:96:e0:3a:1e:30:27:a2:9d:bb:43:
d5:2c:0b:80:ed:68:39:36:f5:65:7c:f6:7d:8d:89:f0:2a:df:
c6:34:a3:b9:17:ab:39:de:24:8e:5e:8f:49:a1:a5:78:b5:a5:
55:69:33:69:b5:e8:87:6d:21:82:2f:7a:b1:80:48:db:62:77:
c3:67:9e:de:0e:15:00:c5:99:d0:10:1e:0d:d9:d6:0a:d6:b7:
99:64
:/etc/ssl/ca_bouthors.fr#
Publish the CA and the CRL
You should not forget to copy the CA certificate and the CRL on the web server, in our example :
- the root CA is at the address http://www.bouthors.fr/ca/ca_bouthors.fr.crt
- the CRL is at the address http://www.bouthors.fr/ca/ca_bouthors.fr.crl
:/etc/ssl/ca_bouthors.fr# cp crl.pem /var/http/ca/ca_bouthors.fr.crl :/etc/ssl/ca_bouthors.fr# cp cacert.pem /var/http/ca/ca_bouthors.fr.crt
Schedule the CRL generation
To regenerate automaticaly, you can use a small script inside /etc/cron.weekly/crlopenssl :
#!/bin/sh /usr/bin/openssl ca -gencrl -out /etc/ssl/ca_bouthors.fr/crl.pem cp /etc/ssl/ca_bouthors.fr/crl.pem /var/http/ca/ca_bouthors.fr.crl
Backup
- /etc/ssl/openssl.cnf
- /etc/ssl/ca_mbo
- /etc/cron.weekly/crlopenssl
- /var/http/ca
Links
