Create a PKI

From Deimos.fr / Bloc Notes Informatique
Jump to: navigation, search
OpenSSL

Software version 1.0.1k
Operating System 8
Website Debian Website
Last Update 26/02/2015
Others

1 Introduction

A public key infrastructure (PKI)[1] is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.

In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). The user identity must be unique within each CA domain. The third-party validation authority (VA) can provide this information on behalf of the CA. The binding is established through the registration and issuance process. Depending on the assurance level of the binding, this may be carried out by software at a CA or under human supervision. The PKI role that assures this binding is called the registration authority (RA). The RA ensures that the public key is bound to the individual to which it is assigned in a way that ensures non-repudiation.[2][3]

Notes Notes
To know the best recommendation for key encryption, please look at mozilla wiki.

2 Installation

The first thing to do is to ensure you've got openssl installed:

Command
apt-get install openssl

3 Generate CA

First, let's create the structure:

Command
mkdir pki
cd pki
mkdir -p {config,certs,db/ca.db.certs}
echo '01'> db/ca.db.serial
touch db/ca.db.index

Create a configuration file:

Configuration File config/ca.config
[ ca ]
default_ca      = domain.fqdn 
[ domain.fqdn ]dir              = ./db
certs            = ./db
new_certs_dir    = ./db/ca.db.certs
database         = ./db/ca.db.index
serial           = ./db/ca.db.serial
RANDFILE         = ./db/ca.db.rand
certificate      = ./certs/ca.crt
private_key      = ./certs/ca.key
default_days     = 3650
default_crl_days = 30
default_md       = sha256
preserve         = no
policy           = policy_anything
 
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

You absolutely need to update the domain.fqdn and to can update some values like the validity of the certificate (default_days).

We're now ready to generate the key certificate:

Command openssl
> openssl genrsa -des3 -out certs/ca.key 2048
Generating RSA private key, 2048 bit long modulus
.....................+++
...................................................+++
e is 65537 (0x10001)
Enter pass phrase for certs/ca.key:
Verifying - Enter pass phrase for certs/ca.key:

Enter a pass phrase. This will be used to generate client certificates.

Self sign it and enter the required informations like in this example:

Command openssl
> openssl req -utf8 -new -x509 -days 3650 -key certs/ca.key -out certs/ca.crt
Enter pass phrase for certs/ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FRState or Province Name (full name) [Some-State]:FranceLocality Name (eg, city) []:ParisOrganization Name (eg, company) [Internet Widgits Pty Ltd]:companyOrganizational Unit Name (eg, section) []:sectionCommon Name (e.g. server FQDN or YOUR name) []:domain.fqdnEmail Address []:[email protected]

4 DER certificate

You can also generate a DER certificate to import into web browser:

Command openssl
openssl x509 -in certs/ca.crt -outform DER -out certs/ca.der

5 Generate a certificate

We're now ready to create certificates. We can create multiple ones (one by one for each domain) or we can create a wildcard. That's what we're going to do. Generate the key:

Command openssl
> openssl genrsa -out certs/wildcard.mydomain.fqdn.key 2048
Generating RSA private key, 2048 bit long modulus
..........+++
............................................+++
e is 65537 (0x10001)

Then generate the csr. As described above, we want to create a wildcard certificate, so do no forget to add the '*' character:

Command openssl
> openssl req -days 3650 -new -key certs/wildcard.mydomain.fqdn.key -out certs/wildcard.mydomain.fqdn.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FRState or Province Name (full name) [Some-State]:FranceLocality Name (eg, city) []:Paris      Organization Name (eg, company) [Internet Widgits Pty Ltd]:companyOrganizational Unit Name (eg, section) []:sectionCommon Name (e.g. server FQDN or YOUR name) []:*.domain.fqdnEmail Address []:[email protected] 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Do not enter a challenge password or it will be required each time you'll want to use it.

You can now generate the final self signed certificate:

Command
> openssl ca -config config/ca.config -out certs/wildcard.mydomain.fqdn.crt -infiles certs/wildcard.mydomain.fqdn.csr
Using configuration from config/ca.config
Enter pass phrase for ./certs/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'FR'
stateOrProvinceName   :ASN.1 12:'France'
localityName          :ASN.1 12:'Paris'
organizationName      :ASN.1 12:'company'
organizationalUnitName:ASN.1 12:'section'
commonName            :ASN.1 12:'*.domain.fqdn'
emailAddress          :IA5STRING:'[email protected]'
Certificate is to be certified until Feb 14 22:02:29 2025 GMT (3650 days)
Sign the certificate? [y/n]:y
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

6 Check certificates

You can now check SSL certificate like that:

Command openssl
openssl x509 -text -in certs/wildcard.mydomain.fqdn.crt

7 References

  1. ^ http://en.wikipedia.org/wiki/Public_key_infrastructure
  2. ^ http://artisan.karma-lab.net/creer-sa-propre-mini-pki
  3. ^ https://developer.mozilla.org/en-US/docs/Mozilla/Security/x509_Certificates