My NetBSD Certificate Authority (CA) with OpenSSL
864 words, 5 minutes
I created a private certificate authority with OpenSSL on NetBSD tu use in my personal LAN. The certificates are used to authenticate servers in SSL/TLS mode and also to remotely connect to my LAN using VPN.
Environment
I’m using NetBSD 5.1/amd64 and OpenSSL 0.9.9.
Create the directory to host the CA:
# cd /etc/openssl
# cp -p /usr/share/examples/openssl/CA.pl .
# cp -p /usr/share/examples/openssl/openssl.cnf .
# chmod 755 CA.pl
# chmod 644 openssl.cnf
Install Perl (lang/perl5) to be able to use CA.pl.
I choose CA.pl over CA.sh because the latter does not provide a way to
create unprotected certificates (certificate without “PEM pass phrase”).
Customize the CA.pl file:
--- /usr/share/examples/openssl/CA.pl 2010-11-06 14:07:36.000000000 +0100
+++ /etc/openssl/CA.pl 2010-11-16 15:35:21.000000000 +0100
@@ -46,6 +46,6 @@
$SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"};
-$DAYS="-days 365"; # 1 year
-$CADAYS="-days 1095"; # 3 years
+$DAYS="-days 3650"; # 10 year
+$CADAYS="-days 3650"; # 10 years
$REQ="$openssl req $SSLEAY_CONFIG";
$CA="$openssl ca $SSLEAY_CONFIG";
@@ -54,5 +54,5 @@
$PKCS12="$openssl pkcs12";
-$CATOP="./demoCA";
+$CATOP="/etc/openssl/TMFCA";
$CAKEY="cakey.pem";
$CAREQ="careq.pem";
Customize the openssl.cnf file:
--- /usr/share/examples/openssl/openssl.cnf 2010-11-06 14:07:36.000000000 +0100
+++ openssl.cnf 2010-11-16 13:12:49.000000000 +0100
@@ -40,5 +40,5 @@
[ CA_default ]
-dir = ./demoCA # Where everything is kept
+dir = /etc/openssl/TMFCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
@@ -71,5 +71,5 @@
# crl_extensions = crl_ext
-default_days = 365 # how long to certify for
+default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
@@ -128,15 +128,16 @@
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
-countryName_default = AU
+countryName_default = FR
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
-stateOrProvinceName_default = Some-State
+stateOrProvinceName_default = Paris
localityName = Locality Name (eg, city)
+localityName_default = Paris
0.organizationName = Organization Name (eg, company)
-0.organizationName_default = Internet Widgits Pty Ltd
+0.organizationName_default = TuM'Fatig
# we can do this but it is not needed normally :-)
@@ -145,5 +146,5 @@
organizationalUnitName = Organizational Unit Name (eg, section)
-#organizationalUnitName_default =
+organizationalUnitName_default = TMF Secure Certificate Authority
commonName = Common Name (eg, YOUR name)
@@ -152,4 +153,5 @@
emailAddress = Email Address
emailAddress_max = 64
+emailAddress_default = jdoe@tumfatig.local
# SET-ex3 = SET extension number 3
@@ -329,5 +331,5 @@
# These are used by the TSA reply generation only.
-dir = ./demoCA # TSA root directory
+dir = /etc/openssl/TMFCA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
Certificate Authority initialization
# /etc/openssl/CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
...++++++
......++++++
writing new private key to '/etc/openssl/TMFCA/private/./cakey.pem'
(...)
You are about to be asked to enter information that will be incorporated
into your certificate request.
(...)
Country Name (2 letter code) [FR]:
State or Province Name (full name) [Paris]:
Locality Name (eg, city) [Paris]:
Organization Name (eg, company) [TuMFatig]:
Organizational Unit Name (eg, section) [TMF Secure Certificate Authority]:
Common Name (eg, YOUR name) []:ca.tumfatig.local
Email Address [jdoe@tumfatig.local]:
(...)
Using configuration from /etc/openssl/openssl.cnf
Enter pass phrase for /etc/openssl/TMFCA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Nov 16 12:32:08 2010 GMT
Not After : Nov 13 12:32:08 2020 GMT
Subject:
countryName = FR
stateOrProvinceName = Paris
organizationName = TuMFatig
organizationalUnitName = TMF Secure Certificate Authority
commonName = ca.tumfatig.local
emailAddress = jdoe@tumfatig.local
X509v3 extensions:
(...)
Certificate is to be certified until Nov 13 12:32:08 2020 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
The file /etc/openssl/TMFCA/cacert.pem is the file that has to be deployed
and/or accessible from clients that would have to trust the certificates
generated with my CA.
Server certificate creation
The certificate will not be PEM protected so that the service starts without human output.
Create the certificate request:
# /etc/openssl/CA.pl -newreq-nodes
Generating a 1024 bit RSA private key
............++++++
.............++++++
writing new private key to 'newkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
(...)
Country Name (2 letter code) [FR]:
State or Province Name (full name) [Paris]:
Locality Name (eg, city) [Paris]:
Organization Name (eg, company) [TuMFatig]:
Organizational Unit Name (eg, section) [TMF Secure Certificate Authority]:
Common Name (eg, YOUR name) []:ldap.tumfatig.local
Email Address [jdoe@tumfatig.local]:
(...)
Request is in newreq.pem, private key is in newkey.pem
Then sign it:
# /etc/openssl/CA.pl -sign
Using configuration from /etc/openssl/openssl.cnf
Enter pass phrase for /etc/openssl/TMFCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
(...)
Certificate is to be certified until Nov 13 14:59:38 2020 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
Install the certificate in the CA repository:
# mv newcert.pem /etc/openssl/TMFCA/certs/ldap.tumfatig.local.crt
# mv newkey.pem /etc/openssl/TMFCA/private/ldap.tumfatig.local.key
Install the certificate on the server side:
# cp -p /etc/openssl/TMFCA/certs/ldap.tumfatig.local.crt /etc/openssl/certs/
# cp -p /etc/openssl/TMFCA/private/ldap.tumfatig.local.key /etc/openssl/private/
# cp -p /etc/openssl/TMFCA/cacert.pem /etc/openssl/certs/
Additional notes
To view a certificate content, just issue:
# openssl x509 -in newcert.pem -noout -text