Академический Документы
Профессиональный Документы
Культура Документы
First of all we will create a directory tree where all certificate stuff will be kept. If you are
first time user for Linux platform you will be able to study basic Linux command to do the
this.
I have started my project by assuming that you are familiar with Linux based operating
system and basic Linux commands.
Therefor, my first step is just creating the necessary directory structure to keep all our
certificate stuff. Before that we have to open terminal and change the current working
directory into Desktop to see our directory.
elsi@kali:~$ cd Desktop
elsi@kali:~/Desktop$
Change to myCA
elsi@kali:~/Desktop$ cd myCA
elsi@kali:~/Desktop/myCA$ ls -l
total 16
drwxr-xr-x 2 elsi elsi 4096 Jan 29 17:49 certs
1
drwxr-xr-x 2 elsi elsi 4096 Jan 29 17:49 crl
drwxr-xr-x 2 elsi elsi 4096 Jan 29 17:49 newcerts
drwxr-xr-x 2 elsi elsi 4096 Jan 29 17:49 private
We are going to copy the default openssl configuration file (openssl.cnf) to our CAs
directory. In Linux /Ubuntu distribution, this file exists in /etc/ssl/. So, we copy it to our
CAs directory and name it openssl.my.cnf.
elsi@kali:~/Desktop/CA/myCA$ cp /etc/ssl/openssl.cnf
/home/elsi/Desktop/CA/myCA/openssl.my.cnf
the directory /home/elsi/ is the users of our system and /home/elsi/Desktop/ directory is
the location where our CAs files will be stored. This may be different in your computer,
here is my user-name and my CAs directory. Normally I have created to the users Desktop
to easily identify where my CAs directory is located. But you may be create your own CAs
into different directory. So, be careful when you are creating your CAs. Dont copy this
directly. If you have little bit knowledge about Linux command that is better.
We also need to create two other files. This file serves as a database for openssl:
2
The following file contains the next certificates serial number. Since we have not created
any certificates yet, we set it to "01":
[ CA_default ]
# Directory and file locations.
dir = /myCA
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
[ policy_strict ]
3
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
Options from the [ req ] section are applied when creating certificates or certificate signing
requests.
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = ET
stateOrProvinceName = Ethiopia
localityName = Ambo
0.organizationName = Ambo University
organizationalUnitName = Public Institute
commonName = AU
emailAddress = dtechane6@gmail.com
The next section, we will create the root certificate. First we have to generate both private
key using aes256 and along with 4096 key size.
4
elsi@kali:~/Desktop/CA/myCA$ openssl genrsa -aes256 -out private/ca.key.pem 4096
Generating RSA private key, 4096 bit long modulus
..................++
...........++
e is 65537 (0x10001)
Enter pass phrase for private/ca.key.pem:
Verifying - Enter pass phrase for private/ca.key.pem:
Now we have done the root certificate. The next step is create the intermediate
certificate.
5
Create the intermediate certificate
An intermediate certificate authority (CA) is an entity that can sign certificates on behalf of
the root CA. The root CA signs the intermediate certificate, forming a chain of trust.
The purpose of using an intermediate CA is primarily for security. The root key can be kept
offline and used as infrequently as possible. If the intermediate key is compromised, the root
CA can revoke the intermediate certificate and create a new intermediate cryptographic pair.
We have to create directory inside myCA , name it as intermediate and then change
our current working directory to intermediate.
we have to Create the same directory structure used for the root CA files. Its convenient to
also create a csr directory to hold certificate signing requests.
we will add a crlnumber file to the intermediate CA directory tree. crlnumber is used to
keep track of certificate revocation lists.
[ CA_default ]
dir = /myCA/intermediate
private_key = $dir/private/intermediate.key.pem
certificate = $dir/certs/intermediate.cert.pem
crl = $dir/crl/intermediate.crl.pem
policy = policy_loose
6
elsi@kali:~/Desktop/CA/myCA/intermediate$ openssl genrsa -aes256 \
> -out private/intermediate.key.pem 4096
Generating RSA private key, 4096 bit long modulus
........................++
...........................................++
e is 65537 (0x10001)
Enter pass phrase for private/intermediate.key.pem:
Verifying - Enter pass phrase for private/intermediate.key.pem:
To create an intermediate certificate, use the root CA with the v3_intermediate_ca extension
to sign the intermediate CSR. The intermediate certificate should be valid for a shorter
period than the root certificate. Ten years would be reasonable.
7
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jan 30 15:23:27 2017 GMT
Not After : Jan 28 15:23:27 2027 GMT
Subject:
countryName = ET
stateOrProvinceName = Ethiopia
organizationName = Ambo University
organizationalUnitName = Goverment University
commonName = AU intermediate authority
X509v3 extensions:
X509v3 Subject Key Identifier:
56:86:AB:B0:A4:77:66:A1:96:AE:24:83:FF:46:97:4E:47:61:A2:8F
X509v3 Authority Key Identifier:
keyid:53:CA:51:90:79:9F:6D:FA:65:3C:B9:40:4F:C6:C4:2F:78:3C:80:64
8
elsi@kali:~/Desktop/CA/myCA$ cat intermediate/certs/intermediate.cert.pem \
> certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem
If youre creating a cryptographic pair for use with a web server (eg, Apache webserevr),
youll need to enter this password every time you restart the web server. You may want to
omit the -aes256 option to create a key without a password.
Create a certificate
Use the private key to create a certificate signing request (CSR). The CSR details dont need to
match the intermediate CA. For server certificates, the Common Name must be a fully qualified
domain name (eg, www.ambou.edu.et), whereas for client certificates it can be any unique
identifier (eg, an e-mail address). Note that the Common Name cannot be the same as either your
root or intermediate certificate.
9
AU []:www.ambou.edu.et
dtechane6@gmail.com []:
To create a certificate, use the intermediate CA to sign the CSR. If the certificate is going to be used
on a server, use the server_cert extension. If the certificate is going to be used for user
authentication, use the usr_cert extension. Certificates are usually given a validity of one year,
though a CA will typically give a few days extra for convenience.
elsi@kali:~/Desktop/CA/myCA$ cd intermediate
elsi@kali:~/Desktop/CA/myCA/intermediate$
keyid:56:86:AB:B0:A4:77:66:A1:96:AE:24:83:FF:46:97:4E:47:61:A2:8F
DirName:/C=ET/ST=Ethiopia/L=Ambo, Oromia/O=Ambo University/CN=AU
Certificate Authority
serial:01
10
Write out database with 1 new entries
Data Base Updated
Here the Issuer is the intermediate CA. The Subject refers to the certificate itself.
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=ET, ST=Ethiopia, O=Ambo University, OU=Goverment University,
CN=AU intermediate authority
Validity
Not Before: Jan 30 16:03:13 2017 GMT
Not After : Feb 9 16:03:13 2018 GMT
Subject: C=ET, ST=Ethiopia, O=Ambo University, CN=www.ambou.edu.et
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Use the CA certificate chain file we created earlier (ca-chain.cert.pem) to verify that the new
certificate has a valid chain of trust.
11