OpenSSL

Setting up Your Own x.509 Certificate Authority

Submitted by craige on April 12, 2006 - 11:07

This document details how to setup an OpenSSL Certificate Authority that you can then use to create certificates for internal use, such as IPSec x.509 Virtual Private Networks (VPNs). The steps below are specific for Debian or Ubuntu servers but may be adapted for other Linux distributions.

 

Firstly we need to edit openssl.cnf and change a few defaults: 

$ vi /etc/ssl/openssl.cnf

Change default_days from 365 to 3650 for 10 years of certificate life.

default_days    = 3650                  # how long to certify for

For internal use, this longevity does not present a great security risk and certificates can be revoked at any time. For convenience I like to set a number of fields below the [ req_distinguished_name ] section. The examples below are for a fictional company in Sydney, Australia, change or add these lines as required:

countryName_default             = AU

stateOrProvinceName_default     = New South Wales

localityName_default            = Sydney

0.organizationName_default      = Your Company Pty Ltd

organizationalUnitName_default  = Your Dept.

commonName_default              = Your Company Pty Ltd

emailAddress_default            = somecontact@yourcompany.com

Filling the above in will save a little typing time when generating certificates. Now you need to make a directory for your Certificate Authority and change into it. My preference is to create it under /etc/ssl as follows:

$ sudo mkdir /etc/ssl/YourCompanyCA
$ cd /etc/ssl/YourCompanyCA

At this point I would recommend copying the script /usr/lib/ssl/misc/CA.sh to /etc/ssl/CA.sh and modifying it to create a CA certificate that lasts more than 10 years - 20 years is a nice figure. You will also need to replace demoCA with the directory you created above. I make the following changes:

/etc/ssl/YourCompanyCA $ sudo cp /usr/lib/ssl/misc/CA.sh /etc/ssl/CA.sh
/etc/ssl/YourCompanyCA $ sudo vi /etc/ssl/CA.sh

DAYS="-days 7300"

CATOP=./MyCompanyCA

Now we need to create the CA Certificate. Apart from setting the certificate password, you can take the defaults because you set them earlier:

/etc/ssl/YourCompanyCA $ sudo /etc/ssl/CA.sh -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
.......++++++
...............++++++
writing new private key to './YourCompanyCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [New South Wales]:
Locality Name (eg, city) [Sydney]:
Organization Name (eg, company) [Your Company Pty Ltd]:
Organizational Unit Name (eg, section) [Your Dept]:
Common Name (eg, YOUR name) [Your Company Pty Ltd]:
Email Address [somecontact@yourcompany.com]:
/etc/ssl/YourCompanyCA $

Now we will need to create a CRL file which will be needed on any VPN gateways you might have. This will need to be updated any time a certificate is revoked:

/etc/ssl/YourCompanyCA $ openssl ca -gencrl -out crl.pem

Now you have a your very own functioning Certificate Authority and you're ready to generate certificates for what ever purpose you may have.