Create Root CA (Done once)
Create Root Key
Attention: this is the key used to sign the certificate requests, anyone holding this can sign certificates on your behalf. So keep it in a safe place!
1
openssl genrsa -des3 -out rootCA.key 4096
Create and self sign the Root Certificate
1
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
Here we used our root key to create the root certificate that needs to be distributed in all the computers that have to trust us.
Create a certificate (Done for each server)
This procedure needs to be followed for each server/appliance that needs a trusted certificate from our CA
Create the certificate key
1
openssl genrsa -out mydomain.com.key 2048
Create the signing (csr)
The certificate signing request is where you specify the details for the certificate you want to generate. This request will be processed by the owner of the Root key (you in this case since you create it earlier) to generate the certificate.
Important: Please mind that while creating the signign request is important to specify the Common Name providing the IP address or domain name for the service, otherwise the certificate cannot be verified.
I will describe here two ways to generate it
Method A (Interactive)
If you generate the csr in this way, openssl will ask you questions about the certificate to generate like the organization details and the Common Name (CN) that is the web address you are creating the certificate for, e.g mydomain.com.
1
openssl req -new -key mydomain.com.key -out mydomain.com.csr
Method B (One Liner)
This method generates the same output as Method A but it’s suitable for use in your automation :) .
1
openssl req -new -sha256 -key mydomain.com.key -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mydomain.com" -out mydomain.com.csr
If you need to pass additional config you can use the -config parameter, here for example I want to add alternative names to my certificate.
1
2
3
4
5
6
7
openssl req -new -sha256 \
-key mydomain.com.key \
-subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mydomain.com" \
-reqexts SAN \
-config <(cat /etc/ssl/openssl.cnf \
<(printf "\n[SAN]\nsubjectAltName=DNS:mydomain.com,DNS:www.mydomain.com")) \
-out mydomain.com.csr
Generate the certificate using the mydomain csr and key along with the CA Root key
Note we use .ext file here because Google Chrome requires alternative names for issued certificates. Here is content of v3 file:
1
2
3
4
5
6
7
8
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = mydomain.com
DNS.2 = *.mydomain.com
Command for generate certificate:
1
openssl x509 -req -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -days 500 -sha256 -extfile v3.mydomain.com.ext
Generate p12/pfx from server certificate to install on client’s side
1
openssl pkcs12 -export -out mydomain.com.p12 -inkey mydomain.com.key -in mydomain.com.crt
Based on source by Lorenzo Fontana
Create Certificate Revoke List file:
Make a directory for a CRL:
1
mkdir crl
Create an index file with the following command:
1
touch crl/index.txt
Create a file for the CRL number. This file should contain the text 00 only.
1
echo 00 > crl/crl_number
Create and write the following contents into a crl.conf file:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# OpenSSL configuration for CRL generation
#
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
database = /etc/pki/pulp/content/crl/index.txt
crlnumber = /etc/pki/pulp/content/crl/pulp_crl_number
default_days = 365 # how long to certify for
default_crl_days = 365 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
####################################################################
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
Create the CRL file with the following command:
1
openssl ca -gencrl -keyfile rootCA.key -cert rootCA.crt -out crl.pem -config crl.conf
Revoke client certificate:
1
openssl ca -revoke <Content certificate> -keyfile ca.key -cert ca.crt -config crl.conf
Then regenerate crl:
1
openssl ca -gencrl -keyfile ca.key -cert ca.crt -out crl.pem -config crl.conf