|
|
Software version |
1.0.1k |
Operating System |
8 |
Website |
Debian Website |
Last Update |
26/02/2015 |
Others |
|
1 Introduction
A public key infrastructure (PKI)[1] is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.
In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). The user identity must be unique within each CA domain. The third-party validation authority (VA) can provide this information on behalf of the CA. The binding is established through the registration and issuance process. Depending on the assurance level of the binding, this may be carried out by software at a CA or under human supervision. The PKI role that assures this binding is called the registration authority (RA). The RA ensures that the public key is bound to the individual to which it is assigned in a way that ensures non-repudiation.[2][3]
2 Installation
The first thing to do is to ensure you've got openssl installed:
3 Generate CA
First, let's create the structure:
|
mkdir pki
cd pki
mkdir -p {config,certs,db/ca.db.certs}
echo '01'> db/ca.db.serial
touch db/ca.db.index
|
Create a configuration file:
config/ca.config
|
[ ca ]
default_ca = domain.fqdn
[ domain.fqdn ]dir = ./db
certs = ./db
new_certs_dir = ./db/ca.db.certs
database = ./db/ca.db.index
serial = ./db/ca.db.serial
RANDFILE = ./db/ca.db.rand
certificate = ./certs/ca.crt
private_key = ./certs/ca.key
default_days = 3650
default_crl_days = 30
default_md = sha256
preserve = no
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
|
You absolutely need to update the domain.fqdn and to can update some values like the validity of the certificate (default_days).
We're now ready to generate the key certificate:
openssl
|
> openssl genrsa -des3 -out certs/ca.key 2048
Generating RSA private key, 2048 bit long modulus
.....................+++
...................................................+++
e is 65537 (0x10001)
Enter pass phrase for certs/ca.key:
Verifying - Enter pass phrase for certs/ca.key:
|
Enter a pass phrase. This will be used to generate client certificates.
Self sign it and enter the required informations like in this example:
openssl
|
> openssl req -utf8 -new -x509 -days 3650 -key certs/ca.key -out certs/ca.crt
Enter pass phrase for certs/ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FRState or Province Name (full name) [Some-State]:FranceLocality Name (eg, city) []:ParisOrganization Name (eg, company) [Internet Widgits Pty Ltd]:companyOrganizational Unit Name (eg, section) []:sectionCommon Name (e.g. server FQDN or YOUR name) []:domain.fqdnEmail Address []:email@domain.fqdn
|
4 DER certificate
You can also generate a DER certificate to import into web browser:
openssl
|
openssl x509 -in certs/ca.crt -outform DER -out certs/ca.der
|
5 Generate a certificate
We're now ready to create certificates. We can create multiple ones (one by one for each domain) or we can create a wildcard. That's what we're going to do. Generate the key:
openssl
|
> openssl genrsa -out certs/wildcard.mydomain.fqdn.key 2048
Generating RSA private key, 2048 bit long modulus
..........+++
............................................+++
e is 65537 (0x10001)
|
Then generate the csr. As described above, we want to create a wildcard certificate, so do no forget to add the '*' character:
openssl
|
> openssl req -days 3650 -new -key certs/wildcard.mydomain.fqdn.key -out certs/wildcard.mydomain.fqdn.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FRState or Province Name (full name) [Some-State]:FranceLocality Name (eg, city) []:Paris Organization Name (eg, company) [Internet Widgits Pty Ltd]:companyOrganizational Unit Name (eg, section) []:sectionCommon Name (e.g. server FQDN or YOUR name) []:*.domain.fqdnEmail Address []:user@domain.fqdn
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
|
Do not enter a challenge password or it will be required each time you'll want to use it.
You can now generate the final self signed certificate:
|
> openssl ca -config config/ca.config -out certs/wildcard.mydomain.fqdn.crt -infiles certs/wildcard.mydomain.fqdn.csr
Using configuration from config/ca.config
Enter pass phrase for ./certs/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'FR'
stateOrProvinceName :ASN.1 12:'France'
localityName :ASN.1 12:'Paris'
organizationName :ASN.1 12:'company'
organizationalUnitName:ASN.1 12:'section'
commonName :ASN.1 12:'*.domain.fqdn'
emailAddress :IA5STRING:'user@domain.fqdn'
Certificate is to be certified until Feb 14 22:02:29 2025 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
|
6 Check certificates
You can now check SSL certificate like that:
openssl
|
openssl x509 -text -in certs/wildcard.mydomain.fqdn.crt
|
7 References
- ^ http://en.wikipedia.org/wiki/Public_key_infrastructure
- ^ http://artisan.karma-lab.net/creer-sa-propre-mini-pki
- ^ https://developer.mozilla.org/en-US/docs/Mozilla/Security/x509_Certificates