On Wed, 24 Jan 2018, Danny Horne wrote:
On 22/01/2018 3:52 pm, Viktor Dukhovni wrote:
On Jan 22, 2018, at 10:06 AM, Danny Horne <da...@trisect.uk> wrote:
Private CA sounds interesting, will have to read up about it
You can get away with a lot less complexity than the usual OpenSSL CA.
See, for example:
https://raw.githubusercontent.com/openssl/openssl/master/test/certs/mkcert.sh
which creates certificates via "openssl x509 -req" without all the overhead of
a stateful CA. What you'd do differently is password-protect the CA key, and
perhaps issue certificates with a somewhat shorter lifetime than the 100 years
in that script.
I'll stick with what I have for now. Read up about creating a private
CA and it went over my head, I also couldn't figure out what input that
script needed from me
It's not sooo complicated:
Short guide for UNIXoid systems:
Create a directory and in there a directory "data"
create 2 files:
--- ca.config
[ ca ]
default_ca= CA_own
[ CA_own ]
dir= .
certs= ./data
new_certs_dir= ./ca.db.certs
database= ./ca.db.index
serial= ./ca.db.serial
RANDFILE= ./ca.db.rand
certificate= ./data/ca.pem
private_key= ./data/ca.key
default_days= 3653
default_crl_days= 30
default_md= sha512
preserve= no
policy= policy_anything
[ policy_anything ]
countryName= optional
stateOrProvinceName= optional
localityName= optional
organizationName= optional
organizationalUnitName= optional
commonName= supplied
emailAddress= optional
--- end
--- ca3.config
[ ca ]
default_ca= CA_own
[ CA_own ]
dir= .
certs= ./data
new_certs_dir= ./ca.db.certs
database= ./ca.db.index
serial= ./ca.db.serial
RANDFILE= ./ca.db.rand
certificate= ./data/ca.pem
private_key= ./data/ca.key
default_days= 3653
default_crl_days= 30
default_md= sha512
preserve= no
policy= policy_anything
x509_extensions = v3_req
[ policy_anything ]
countryName= optional
stateOrProvinceName= optional
localityName= optional
organizationName= optional
organizationalUnitName= optional
commonName= supplied
emailAddress= optional
[ v3_req ]
subjectAltName=$ENV::SUBJALTNAME
--- end
Then:
1) Create a new CA (only once - it is a good idea to add a date in name, in
case you have to change it later):
openssl req -new -x509 -nodes -subj
'/C=DE/ST=Germany/L=Berlin/O=Company/CN=Company Root Certificate
2018/emailAddress=c...@companyemail.de' -newkey rsa:4096 -sha512 -keyout
data/ca.key -out data/ca.pem -extensions v3_ca -days 3653
echo -n "01" >ca.db.serial
mkdir ca.db.certs
touch ca.db.index
2) Create a new key
openssl req -nodes -days 3653 -subj
'/C=DE/ST=Germany/L=Berlin/O=Company/CN=test.companyemail.de/emailAddress=c...@companyemail.de'
-newkey rsa:4096 -sha512 -keyout key.key -out key.csr
3) To sign a csr
openssl ca -config ca.config -out key.pem -infiles key.csr
4) To sign a csr with more than one name [altname] (must contain original
name!):
SUBJALTNAME='DNS:test.companyemail.de,DNS:*.hallo.companyemail.de' openssl ca
-config ca3.config -out key.pem -infiles key.csr
NOTE: serial number must increase always!
5) To revoke a certificate (e.g. when recreating same target, there is also an
option to allow multiple certs for one domain):
openssl ca -config ca.config -revoke certs/whatever.pem
I always copy my resulting files under proper name to data directory to
keep them.
See also http://www.madboa.com/geek/openssl/#cert-self
Play around with the settings, timeouts, ... Verify the results with
"openssl x509 -text" (you wont get it all right one first try, some typos
are always there in the values (either in the specified fields or in the
domain name or ... :-)
In point 4 you also can create certs for "IP:" (instead of DNS:)
addresses.
Ciao
--
http://www.dstoecker.eu/ (PGP key available)
