this article<\/a> to have a idea about key usage.<\/p>\nSoftware requirement<\/h1>\n
<\/p>\n\n- OS: Slackware 13.37<\/li>\n
- bundled openssl<\/li>\n<\/ul>\n
<\/strong><\/p>\n
Root CA<\/h1>\n
The root CA is self-signed and issue certificate to subCA. Following is the suggested file hierarchy path and options in openssl.cnf<\/strong>.<\/p>\n\n- Setup necessary files\n
\r\nmkdir \/usr\/local\/CA\r\n\r\ncd \/usr\/local\/CA\r\nmkdir root\r\ncd root\r\ncp \/etc\/ssl\/misc\/* .\r\ncp \/etc\/ssl\/openssl.cnf .\r\n<\/pre>\n<\/li>\n
- Modify openssl.cnf, suggested configuration option:\n
\r\n[ CA_default ]\r\ndefault_days = 3650\r\n\r\n[ req ]\r\ndefault_bits = 2048\r\n\r\n[ req_distinguished_name ]\r\ncountryName_default = HK\r\nstateOrProvinceName_default = Hong Kong\r\nlocalityName_default = Kowloon\r\n0.organizationName_default = q-station.net\r\n\r\nSET-ex3 = SET extension number 3\r\n\r\n[ v3_ca ]\r\nbasicConstraints = CA:true,pathlen:0\r\nkeyUsage = cRLSign, keyCertSign\r\nnsCertType = sslCA, emailCA, objsign\r\nauthorityInfoAccess = caIssuers;URI:http:\/\/www.q-station.net\/ca\r\ncrlDistributionPoints=URI:http:\/\/www.q-station.net\/ca\/root.crl\r\n<\/pre>\n<\/li>\n
- Modify CA.pl\n
\r\n$SSLEAY_CONFIG=\"-config .\/openssl.cnf\";\r\n$CADAYS=\"-days 7300\"; # 20 years\r\n<\/pre>\n<\/li>\n
- Modify CA.pl\n
\r\n$SSLEAY_CONFIG=\u201d-config .\/openssl.cnf\u201d;\r\n$DAYS=\u201d-days 1095\u2033; # 3 year\r\n<\/pre>\n<\/li>\n
- Create self-signed CA\n
\r\n.\/CA.pl -newca\r\n(press enter to create new cert)\r\n\r\n\r\ncountryName = HK\r\nstateOrProvinceName = Hong Kong\r\norganizationName = q-station.net\r\norganizationalUnitName = PKI\r\ncommonName = Root CA\r\nemailAddress = ca@q-station.net\r\n<\/strong>\r\n\r\n.\/CA.pl -signCA\r\n<\/pre>\n<\/li>\n- As the Root CA cert will be expiry after 20 years, while we would like certificate for subCA expiry in 10yrs, so we need to modify CA.pl again,\n
\r\n$CADAYS=\"-days 3650\"; # 10 years\r\n<\/pre>\n<\/li>\n<\/ul>\nServer CA<\/h1>\n
The server CA will mainly issue certificate for SSL server, such as, https site, VPN server, etc.<\/p>\n
\n- Setup necessary files\n
\r\ncd \/usr\/local\/CA\r\nmkdir server\r\ncd server\r\ncp \/etc\/ssl\/misc\/* .\r\ncp \/etc\/ssl\/openssl.cnf .\r\n<\/pre>\n<\/li>\n
- Modify openssl.cnf, suggested configuration option:\n
\r\n[ CA_default ]\r\ndefault_days = 1095 # cert valid for 3yrs\r\n\r\n[ req ]\r\ndefault_bits = 2048\r\n\r\n[ req_distinguished_name ]\r\ncountryName_default = HK\r\nstateOrProvinceName_default = Hong Kong\r\nlocalityName_default = Kowloon\r\n0.organizationName_default = q-station.net\r\n\r\nSET-ex3 = SET extension number 3\r\n\r\n[ usr_cert ]\r\nbasicConstraints=CA:FALSE\r\nnsCertType = server\r\nkeyUsage = nonRepudiation, digitalSignature, keyEncipherment\r\n\r\nextendedKeyUsage=serverAuth,clientAuth\r\nauthorityInfoAccess = caIssuers;URI:http:\/\/www.q-station.net\/ca\r\ncrlDistributionPoints=URI:http:\/\/www.q-station.net\/ca\/server.crl\r\n<\/pre>\n<\/li>\n
- Modify CA.pl\n
\r\n$SSLEAY_CONFIG=\"-config .\/openssl.cnf\";\r\n<\/pre>\n<\/li>\n
- Create certificate for Server CA\n
\r\ncd \/usr\/local\/CA\/root\r\n.\/CA.pl -newreq-nodes\r\n\r\ncountryName = HK\r\nstateOrProvinceName = Hong Kong\r\nLocality Name = Kowloon\r\norganizationName = q-station.net\r\norganizationalUnitName = PKI\r\ncommonName = Server CA\r\nemailAddress = ca@q-station.net\r\n<\/strong>\r\n\r\n.\/CA.pl -signCA\r\n\r\ncat newcert.pem newkey.pem > serverca.pem # serverca cert for later use\r\nmv serverca.pem ..\/server\/\r\nrm newcert.pem newkey.pem newreq.pem\r\n<\/pre>\n<\/li>\n- Create ServerCA\n
\r\ncd \/usr\/local\/CA\/server\r\n.\/CA.pl -newca\r\nenter serverca.pem<\/strong> as CA certificate filename\r\nopenssl x509 -in demoCA\/cacert.pem -noout -next_serial -out demoCA\/serial # for serial\r\nrm serverca.pem\r\n<\/pre>\n<\/li>\n<\/ul>\nMachine CA<\/h1>\n
Machine CA issue certificate for L2TP\/IPSec client. It is a machine certificate in Windows machine.<\/p>\n
Create the machine CA follow the similar procedure as Server CA, in brief,<\/p>\n
\n- \n
\r\ncd \/usr\/local\/CA\r\nmkdir machine\r\ncd machine\r\ncp \/etc\/ssl\/misc\/* .\r\ncp \/etc\/ssl\/openssl.cnf .\r\n<\/pre>\n<\/li>\n
- openssl.cnf\n
\r\n[ CA_default ]\r\ndefault_days = 1095 # cert valid for 3yrs\r\n\r\n[ req ]\r\ndefault_bits = 2048\r\n\r\n[ req_distinguished_name ]\r\ncountryName_default = HK\r\nstateOrProvinceName_default = Hong Kong\r\nlocalityName_default = Kowloon\r\n0.organizationName_default = q-station.net\r\n\r\nSET-ex3 = SET extension number 3\r\n\r\n[ usr_cert ]\r\nbasicConstraints=CA:FALSE\r\nnsCertType = client\r\nkeyUsage = digitalSignature, keyEncipherment, keyAgreement\r\nextendedKeyUsage=clientAuth\r\n\r\nauthorityInfoAccess = caIssuers;URI:http:\/\/www.q-station.net\/ca\r\ncrlDistributionPoints=URI:http:\/\/www.q-station.net\/ca\/machine.crl\r\n<\/pre>\n
- modify CA.pl\n<\/li>\n
- Create machineCA, simply under root CA, make a new request and sign it. Copy the new cert with server key to machine CA. Running .\/CA.pl -newca with the cert and create the serial file. Cert request attribute for ref:\n
\r\ncountryName = HK\r\nstateOrProvinceName = Hong Kong\r\nlocalityName = Kowloon\r\norganizationName = q-station.net\r\norganizationalUnitName = PKI\r\ncommonName = Machine CA\r\nemailAddress = ca@q-station.net\r\n<\/pre>\n<\/li>\nPerson CA<\/h1>\n
Person CA issue certificate for people. People could use the cert to encrypt, sign the email or serve as client authentication.<\/p>\n
Create the person CA follow the similar procedure as Server CA, in brief,<\/p>\n
\n- \n
\r\ncd \/usr\/local\/CA\r\nmkdir person\r\ncd person\r\ncp \/etc\/ssl\/misc\/* .\r\ncp \/etc\/ssl\/openssl.cnf .\r\n<\/pre>\n<\/li>\n
- openssl.cnf\n
\r\n[ CA_default ]\r\ndefault_days = 1095 # cert valid for 3yrs\r\n\r\n[ req ]\r\ndefault_bits = 2048\r\n\r\n[ req_distinguished_name ]\r\ncountryName_default = HK\r\nstateOrProvinceName_default = Hong Kong\r\nlocalityName_default = Kowloon\r\n0.organizationName_default = q-station.net\r\n\r\nSET-ex3 = SET extension number 3\r\n\r\n[ usr_cert ]\r\nnsCertType = client, email, objsign\r\nkeyUsage = digitalSignature, keyEncipherment, keyAgreement, nonRepudiation\r\nextendedKeyUsage=clientAuth,emailProtection\r\nsubjectAltName=email:copy\r\n\r\nauthorityInfoAccess = caIssuers;URI:http:\/\/www.q-station.net\/ca\r\ncrlDistributionPoints=URI:http:\/\/www.q-station.net\/ca\/person.crl\r\n<\/pre>\n
- modify CA.pl\n<\/li>\n
- Create person CA, simply under root CA, make a new request and sign it. Copy the new cert with server key to person CA. Running .\/CA.pl -newca with the cert and create the serial file. Cert request attribute for ref:\n
\r\ncountryName = HK\r\nstateOrProvinceName = Hong Kong\r\nlocalityName = Kowloon\r\norganizationName = q-station.net\r\norganizationalUnitName = PKI\r\ncommonName = Person CA\r\nemailAddress = ca@q-station.net\r\n<\/pre>\n<\/li>\nExport Certificate for Windows<\/h1>\n
You should bundle the whole CA chain to include in the pkcs12 file.<\/p>\n
\r\ncat machine\/demoCA\/cacert.pem root\/demoCA\/cacert.pem > cabundle.pem\r\n\r\nopenssl pkcs12 -export -inkey newkey.pem -in newcert.pem -out wincert.pfx -certfile cabundle.pem -name 'WinXP cert'\r\n<\/pre>\nRevoke the certificate<\/h1>\n\r\nopenssl ca -config .\/openssl.cnf -revoke newcert.pem\r\nopenssl ca -gencrl -config .\/openssl.cnf -out \/tmp\/crl.crl\r\nopenssl crl -in \/tmp\/crl.crl -text|less\r\n<\/pre>\nRenew certificate<\/h1>\n\r\nopenssl ca -config \/etc\/openssl.cnf -policy policy_anything -out newcert.pem \\\r\n-infiles newreq.pem -startdate [now] -enddate [previous enddate+365days]\r\n<\/pre>\n