Create your own CA

This post will setup a multi-chain CA by using CA.pl in openssl. This setup is dump and do not tend to use as large scale CA. I serve my own purpose as issuing certificate to clients machine to connect the server using L2TP/IPSec.

Key usage

You may reference this article to have a idea about key usage.

Software requirement

Root CA

The root CA is self-signed and issue certificate to subCA. Following is the suggested file hierarchy path and options in openssl.cnf.

• Setup necessary files

  mkdir /usr/local/CA
  
  cd /usr/local/CA
  mkdir root
  cd root
  cp /etc/ssl/misc/* .
  cp /etc/ssl/openssl.cnf .
  

• Modify openssl.cnf, suggested configuration option:

  [ CA_default ]
  default_days    = 3650
  
  [ req ]
  default_bits            = 2048
  
  [ req_distinguished_name ]
  countryName_default             = HK
  stateOrProvinceName_default     = Hong Kong
  localityName_default            = Kowloon
  0.organizationName_default      = q-station.net
  
  SET-ex3                 = SET extension number 3
  
  [ v3_ca ]
  basicConstraints = CA:true,pathlen:0
  keyUsage = cRLSign, keyCertSign
  nsCertType = sslCA, emailCA, objsign
  authorityInfoAccess = caIssuers;URI:http://www.q-station.net/ca
  crlDistributionPoints=URI:http://www.q-station.net/ca/root.crl
  

• Modify CA.pl

  $SSLEAY_CONFIG="-config ./openssl.cnf";
  $CADAYS="-days 7300";   # 20 years
  

• Modify CA.pl

  $SSLEAY_CONFIG=”-config ./openssl.cnf”;
  $DAYS=”-days 1095″; # 3 year
  

• Create self-signed CA

  ./CA.pl -newca
  (press enter to create new cert)
  
  
  countryName               = HK
  stateOrProvinceName       = Hong Kong
  organizationName          = q-station.net
  organizationalUnitName    = PKI
  commonName                = Root CA
  emailAddress              = ca@q-station.net
  
  
  ./CA.pl -signCA
  

• As the Root CA cert will be expiry after 20 years, while we would like certificate for subCA expiry in 10yrs, so we need to modify CA.pl again,

  $CADAYS="-days 3650";   # 10 years
  

Server CA

The server CA will mainly issue certificate for SSL server, such as, https site, VPN server, etc.

• Setup necessary files

  cd /usr/local/CA
  mkdir server
  cd server
  cp /etc/ssl/misc/* .
  cp /etc/ssl/openssl.cnf .
  

• Modify openssl.cnf, suggested configuration option:

  [ CA_default ]
  default_days    = 1095 # cert valid for 3yrs
  
  [ req ]
  default_bits            = 2048
  
  [ req_distinguished_name ]
  countryName_default             = HK
  stateOrProvinceName_default     = Hong Kong
  localityName_default            = Kowloon
  0.organizationName_default      = q-station.net
  
  SET-ex3                 = SET extension number 3
  
  [ usr_cert ]
  basicConstraints=CA:FALSE
  nsCertType                      = server
  keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  
  extendedKeyUsage=serverAuth,clientAuth
  authorityInfoAccess = caIssuers;URI:http://www.q-station.net/ca
  crlDistributionPoints=URI:http://www.q-station.net/ca/server.crl
  

• Modify CA.pl

  $SSLEAY_CONFIG="-config ./openssl.cnf";
  

• Create certificate for Server CA

  cd /usr/local/CA/root
  ./CA.pl -newreq-nodes
  
  countryName               = HK
  stateOrProvinceName       = Hong Kong
  Locality Name             = Kowloon
  organizationName          = q-station.net
  organizationalUnitName    = PKI
  commonName                = Server CA
  emailAddress              = ca@q-station.net
  
  
  ./CA.pl -signCA
  
  cat newcert.pem newkey.pem > serverca.pem # serverca cert for later use
  mv serverca.pem ../server/
  rm newcert.pem  newkey.pem   newreq.pem
  

• Create ServerCA

  cd /usr/local/CA/server
  ./CA.pl -newca
  enter serverca.pem as CA certificate filename
  openssl x509 -in demoCA/cacert.pem -noout -next_serial -out demoCA/serial # for serial
  rm serverca.pem
  

Machine CA

Machine CA issue certificate for L2TP/IPSec client. It is a machine certificate in Windows machine.

Create the machine CA follow the similar procedure as Server CA, in brief,

• cd /usr/local/CA
  mkdir machine
  cd machine
  cp /etc/ssl/misc/* .
  cp /etc/ssl/openssl.cnf .
  

• openssl.cnf

  [ CA_default ]
  default_days    = 1095 # cert valid for 3yrs
  
  [ req ]
  default_bits            = 2048
  
  [ req_distinguished_name ]
  countryName_default             = HK
  stateOrProvinceName_default     = Hong Kong
  localityName_default            = Kowloon
  0.organizationName_default      = q-station.net
  
  SET-ex3                 = SET extension number 3
  
  [ usr_cert ]
  basicConstraints=CA:FALSE
  nsCertType                      = client
  keyUsage = digitalSignature, keyEncipherment, keyAgreement
  extendedKeyUsage=clientAuth
  
  authorityInfoAccess = caIssuers;URI:http://www.q-station.net/ca
  crlDistributionPoints=URI:http://www.q-station.net/ca/machine.crl
  

• modify CA.pl
• Create machineCA, simply under root CA, make a new request and sign it. Copy the new cert with server key to machine CA. Running ./CA.pl -newca with the cert and create the serial file. Cert request attribute for ref:

  countryName               = HK
  stateOrProvinceName       = Hong Kong
  localityName              = Kowloon
  organizationName          = q-station.net
  organizationalUnitName    = PKI
  commonName                = Machine CA
  emailAddress              = ca@q-station.net
  

Person CA

Person CA issue certificate for people. People could use the cert to encrypt, sign the email or serve as client authentication.

Create the person CA follow the similar procedure as Server CA, in brief,

• cd /usr/local/CA
  mkdir person
  cd person
  cp /etc/ssl/misc/* .
  cp /etc/ssl/openssl.cnf .
  

• openssl.cnf

  [ CA_default ]
  default_days    = 1095 # cert valid for 3yrs
  
  [ req ]
  default_bits            = 2048
  
  [ req_distinguished_name ]
  countryName_default             = HK
  stateOrProvinceName_default     = Hong Kong
  localityName_default            = Kowloon
  0.organizationName_default      = q-station.net
  
  SET-ex3                 = SET extension number 3
  
  [ usr_cert ]
  nsCertType = client, email, objsign
  keyUsage = digitalSignature, keyEncipherment, keyAgreement, nonRepudiation
  extendedKeyUsage=clientAuth,emailProtection
  subjectAltName=email:copy
  
  authorityInfoAccess = caIssuers;URI:http://www.q-station.net/ca
  crlDistributionPoints=URI:http://www.q-station.net/ca/person.crl
  

• modify CA.pl
• Create person CA, simply under root CA, make a new request and sign it. Copy the new cert with server key to person CA. Running ./CA.pl -newca with the cert and create the serial file. Cert request attribute for ref:

  countryName               = HK
  stateOrProvinceName       = Hong Kong
  localityName              = Kowloon
  organizationName          = q-station.net
  organizationalUnitName    = PKI
  commonName                = Person CA
  emailAddress              = ca@q-station.net
  

Export Certificate for Windows

You should bundle the whole CA chain to include in the pkcs12 file.

cat machine/demoCA/cacert.pem root/demoCA/cacert.pem > cabundle.pem

openssl pkcs12 -export -inkey newkey.pem -in newcert.pem -out wincert.pfx -certfile cabundle.pem -name 'WinXP cert'

Revoke the certificate

openssl ca -config ./openssl.cnf -revoke newcert.pem
openssl ca -gencrl -config ./openssl.cnf -out /tmp/crl.crl
openssl crl -in /tmp/crl.crl -text|less

Renew certificate

openssl ca -config /etc/openssl.cnf -policy policy_anything -out newcert.pem \
-infiles newreq.pem -startdate [now] -enddate [previous enddate+365days]

Filed under:

• System administration
• CA.pl, openssl