OpenSSL Certificate Authority

From Sfvlug

To generate a private key, you don't need a config file. Just execute the following.

openssl genrsa -out example.key 1024

You may not wish to be prompted for a passphrase, because then you will have to enter the passphrase every time you use the resulting key (like restarting httpd). In this case, indlude the -nodes flag before the number of bits.

Set up the directory to hold the Certificate Authority. $CA_ROOT can be something like /opt/ca.

mkdir -m 0700 -p $CA_ROOT/{certs,crl,csr,private}
touch $CA_ROOT/index.txt
echo 01 > $CA_ROOT/serial

Here is a functional openssl.cnf for a Certificate Authority.

[ ca ]
default_ca		= rootca

[ rootca ]
dir			= /opt/ca
certificate		= $dir/private/ca.crt
private_key		= $dir/private/ca.key
database		= $dir/index.txt
serial			= $dir/serial
new_certs_dir		= $dir/certs

default_crl_days	= 7
default_days		= 365
default_md		= md5
crlDistributionPoints   = URI:

policy			= rootca_policy
x509_extensions		= certificate_extensions

copy_extensions		= copy

[ rootca_policy ]
commonName		= supplied
organizationName	= supplied
organizationalUnitName	= optional
countryName		= supplied
stateOrProvinceName	= supplied
localityName		= supplied
emailAddress		= supplied

[ certificate_extensions ]
basicConstraints	= CA:false

[ req ]
default_bits		= 4096
default_keyfile		= /opt/ca/private/ca.key
default_md		= md5

prompt			= no
distinguished_name	= root_ca_distinguished_name
x509_extensions		= root_ca_extensions

[ root_ca_distinguished_name ]
commonName		= Example Corp., Inc.
organizationName	= Certificate Authority
countryName		= US
stateOrProvinceName	= California
localityName		= Los Angeles
emailAddress		=

[ root_ca_extensions ]
basicConstraints	= CA:true

To generate the CA Certificate, you can either generate the private key at the same time or ahead of time using the instructions above. If the private key is already generated, use the following:

openssl req -x509 -config openssl.cnf -key ca.key -out ca.crt

Or to generate the key at the same time use:

openssl req -x509 -config openssl.cnf -newkey rsa:1024 -keyout ca.key -out ca.crt

And if you just want to generate a self-signed key for use on a web server or similar, make sure basicConstraints is set to CA:false. You can do this by the setting for X.509 extensions in the req section of the conf file. Either point x509_extensions at the certificate_extensions section where CA is false, or change basicConstraints under the root_ca_extensions to CA:false.

The above should be maintained on the host where the CA resides. It is best to make a new config file for every key pair you need to generate. Create the key on the host where the service it will be used with is running, in a directory related to the service. For example, make a new config file to generate a key and csr for a web server on that web server host, in a directory associated with the web server's configuration, such as /etc/httpd/ssl or similar. The logic behind this is that you want to minimize any risk associated with exposing the private key to the network. Therefore, generate the private key followed by the csr on the server where it will be used. Here is an openssl.cnf for creating a Request with Subject Alternative Names.

#oid_section			= new_oids
#[ new_oids ]
## RFC 3920 section 5.1.1 defines this OID
#xmppAddr   	   	 	=

[ req ]
default_bits			= 4096
default_keyfile			= san-example.key
distinguished_name		= distinguished_name
req_extensions			= v3_extensions
x509_extensions			= v3_extensions

# don't ask about the DN
prompt				= no

[ distinguished_name ]
countryName			= US
stateOrProvinceName		= California
localityName			= Los Angeles
organizationName		= Example Corp., Inc.
commonName			=
emailAddress			=

[ v3_extensions ]
# for certificate requests (req_extensions)
# and self-signed certificates (x509_extensions)
basicConstraints		= CA:FALSE
keyUsage			= digitalSignature,keyEncipherment
subjectAltName			= @subject_alternative_name

[ subject_alternative_name ]
email.0				=
DNS.1				=
URI.2				= URI:
IP.3				=
IP.4				= fe80::1

To generate the Certificate Signing Request, use the following command.

openssl req -nodes -config ./openssl.cnf -newkey rsa:4096 -keyout new.key -out new.csr

The above command generates the private key and the request at the same time. If you have already generated the key, replace -newkey with -key. If you want the private key to be password protected, drop the -nodes flag.

Once the request is generated, it can be signed by the CA. Use the following command to do so.

openssl ca -config /opt/ca/openssl.cnf -in new.csr

You can add -days NUM to change the default expiration of the generated certificate. This will dump the certificate to stdout, and save it as a file in the directory specified as new_cert_dir, named SERIAL.pem, where the next SERIAL is specified in the serial file. Basically, it will be the largest number in the directory. Send this back to the system that is making the request.

You should be aware that Keys are private and that Requests (unsigned) and Certificates (signed) are pubic, so it is ok to copy the *.csr and *.crt over the network in the clear, but never send the *.key out.

You can read the data in the request and the certificate, to make sure they were generated correctly or help you identify them. To read the request, use the following:

openssl req -text -in new.csr

And to read the certificate, the syntax is nearly identical:

openssl x509 -text -in new.crt


Personal tools