Inside an enterprise there are a lot of machines communicating with each other. It is necessary to keep these communications secure and private. This can be achieved through encryption.
In the enterprise SOA the most important protocol is HTTP. The encrypted version is HTTPS and needs at least one certificate. The certificate is the host certificate of the server and must be trusted on client side. For details have a look at this post.
The needed certificate can be bought with a yearly fee of some euros from an official certificate authority. An other possibility is to just use the certificates generated by the systems themselves (‘snakeoil’ certificate).
But if the enterprise needs many certificates a better solution is to set up a own certificate authority for the enterprise.
Don’t underestimate the effort for having your own CA. The effort is not in first place for setting up the CA or generating the certificates. Much more time is needed for the education of the employees handling the CA, the organizational processes and the documentation of issued certificates, keys and their lifetime. At official certificate authorities there are hundreds of folders describing how the employees have to act in different situations, who has the permissions to do what, who can substitute key persons and so on. Even if you don’t need such complex processes there should be some definitions about the confidentiality of the CA and the generated certificates and substations for the employee handling the CA.
I will describe how to do the serveral actions with openssl on a linux machine. Of course a current version of openssl should be used.
openssl.cnf
The first step for setting up the CA is to create or modify the file openssl.cnf. When I started to set up the CA I was surprised how difficult to understand and bad the documentation of this file was. In fact I was missing an example of the file with current settings and without everything else which is not really needed. The extension system of the openssl.cnf file makes it quite difficult to understand. If some reader has suggestions to improve it, I would be very appreciated.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 |
<div><!-- Code highlighting produced by Actipro CodeHighlighter (freeware) http://www.CodeHighlighter.com/ --><span style="color: #008080;"> 1</span> <span style="color: #000000;"># </span><span style="color: #008080;"> 2</span> <span style="color: #000000;"># OpenSSL example configuration file. </span><span style="color: #008080;"> 3</span> <span style="color: #000000;"># This is mostly being used for generation of certificate requests. </span><span style="color: #008080;"> 4</span> <span style="color: #000000;"># </span><span style="color: #008080;"> 5</span> <span style="color: #000000;"> </span><span style="color: #008080;"> 6</span> <span style="color: #000000;"># This definition stops the following lines choking if HOME isn't </span><span style="color: #008080;"> 7</span> <span style="color: #000000;"># defined. </span><span style="color: #008080;"> 8</span> <span style="color: #000000;">HOME </span><span style="color: #000000;">=</span><span style="color: #000000;"> . </span><span style="color: #008080;"> 9</span> <span style="color: #000000;">RANDFILE </span><span style="color: #000000;">=</span><span style="color: #000000;"> $ENV::HOME/.rnd </span><span style="color: #008080;"> 10</span> <span style="color: #000000;"> </span><span style="color: #008080;"> 11</span> <span style="color: #000000;">#################################################################### </span><span style="color: #008080;"> 12</span> <span style="color: #000000;"></span><span style="color: #800000; font-weight: bold;">[</span><span style="color: #800000;"> ca </span><span style="color: #800000; font-weight: bold;">]</span><span style="color: #000000;"> </span><span style="color: #008080;"> 13</span> <span style="color: #000000;">default_ca </span><span style="color: #000000;">=</span><span style="color: #000000;"> CA_default # The default ca section </span><span style="color: #008080;"> 14</span> <span style="color: #000000;"> </span><span style="color: #008080;"> 15</span> <span style="color: #000000;">#################################################################### </span><span style="color: #008080;"> 16</span> <span style="color: #000000;"></span><span style="color: #800000; font-weight: bold;">[</span><span style="color: #800000;"> CA_default </span><span style="color: #800000; font-weight: bold;">]</span><span style="color: #000000;"> </span><span style="color: #008080;"> 17</span> <span style="color: #000000;"> </span><span style="color: #008080;"> 18</span> <span style="color: #000000;">dir </span><span style="color: #000000;">=</span><span style="color: #000000;"> ./CA # Where everything is kept </span><span style="color: #008080;"> 19</span> <span style="color: #000000;">certs </span><span style="color: #000000;">=</span><span style="color: #000000;"> $dir/certs # Where the issued certs are kept </span><span style="color: #008080;"> 20</span> <span style="color: #000000;">crl_dir </span><span style="color: #000000;">=</span><span style="color: #000000;"> $dir/crl # Where the issued crl are kept </span><span style="color: #008080;"> 21</span> <span style="color: #000000;">database </span><span style="color: #000000;">=</span><span style="color: #000000;"> $dir/index.txt # database index file. </span><span style="color: #008080;"> 22</span> <span style="color: #000000;">#unique_subject </span><span style="color: #000000;">=</span><span style="color: #000000;"> no # Set to 'no' to allow creation of </span><span style="color: #008080;"> 23</span> <span style="color: #000000;"> # several ctificates with same subject. </span><span style="color: #008080;"> 24</span> <span style="color: #000000;">new_certs_dir </span><span style="color: #000000;">=</span><span style="color: #000000;"> $dir/newcerts # default place for new certs. </span><span style="color: #008080;"> 25</span> <span style="color: #000000;"> </span><span style="color: #008080;"> 26</span> <span style="color: #000000;">certificate </span><span style="color: #000000;">=</span><span style="color: #000000;"> $dir/cacert.pem # The CA certificate </span><span style="color: #008080;"> 27</span> <span style="color: #000000;">serial </span><span style="color: #000000;">=</span><span style="color: #000000;"> $dir/serial # The current serial number </span><span style="color: #008080;"> 28</span> <span style="color: #000000;">crlnumber </span><span style="color: #000000;">=</span><span style="color: #000000;"> $dir/crlnumber # the current crl number </span><span style="color: #008080;"> 29</span> <span style="color: #000000;"> # must be commented out to leave a V1 CRL </span><span style="color: #008080;"> 30</span> <span style="color: #000000;">crl </span><span style="color: #000000;">=</span><span style="color: #000000;"> $dir/crl.pem # The current CRL </span><span style="color: #008080;"> 31</span> <span style="color: #000000;">private_key </span><span style="color: #000000;">=</span><span style="color: #000000;"> $dir/private/cakey.pem # The private key </span><span style="color: #008080;"> 32</span> <span style="color: #000000;">RANDFILE </span><span style="color: #000000;">=</span><span style="color: #000000;"> $dir/private/.rand # private random number file </span><span style="color: #008080;"> 33</span> <span style="color: #000000;"> </span><span style="color: #008080;"> 34</span> <span style="color: #000000;">default_days </span><span style="color: #000000;">=</span><span style="color: #000000;"> </span><span style="color: #000000;">365</span><span style="color: #000000;"> # how long to certify for </span><span style="color: #008080;"> 35</span> <span style="color: #000000;">default_crl_days </span><span style="color: #000000;">=</span><span style="color: #000000;"> </span><span style="color: #000000;">30</span><span style="color: #000000;"> # how long before next CRL </span><span style="color: #008080;"> 36</span> <span style="color: #000000;">default_md </span><span style="color: #000000;">=</span><span style="color: #000000;"> default # use public key default MD </span><span style="color: #008080;"> 37</span> <span style="color: #000000;">preserve </span><span style="color: #000000;">=</span><span style="color: #000000;"> no # keep passed DN ordering </span><span style="color: #008080;"> 38</span> <span style="color: #000000;"> </span><span style="color: #008080;"> 39</span> <span style="color: #000000;"># A few difference way of specifying how similar the request should look </span><span style="color: #008080;"> 40</span> <span style="color: #000000;"># For type CA</span><span style="color: #000000;">,</span><span style="color: #000000;"> the listed attributes must be the same</span><span style="color: #000000;">,</span><span style="color: #000000;"> and the optional </span><span style="color: #008080;"> 41</span> <span style="color: #000000;"># and supplied fields are just that :-) </span><span style="color: #008080;"> 42</span> <span style="color: #000000;">policy </span><span style="color: #000000;">=</span><span style="color: #000000;"> policy_match </span><span style="color: #008080;"> 43</span> <span style="color: #000000;"> </span><span style="color: #008080;"> 44</span> <span style="color: #000000;"># For the CA policy </span><span style="color: #008080;"> 45</span> <span style="color: #000000;"></span><span style="color: #800000; font-weight: bold;">[</span><span style="color: #800000;"> policy_match </span><span style="color: #800000; font-weight: bold;">]</span><span style="color: #000000;"> </span><span style="color: #008080;"> 46</span> <span style="color: #000000;">countryName </span><span style="color: #000000;">=</span><span style="color: #000000;"> match </span><span style="color: #008080;"> 47</span> <span style="color: #000000;">stateOrProvinceName </span><span style="color: #000000;">=</span><span style="color: #000000;"> optional </span><span style="color: #008080;"> 48</span> <span style="color: #000000;">organizationName </span><span style="color: #000000;">=</span><span style="color: #000000;"> match </span><span style="color: #008080;"> 49</span> <span style="color: #000000;">organizationalUnitName </span><span style="color: #000000;">=</span><span style="color: #000000;"> optional </span><span style="color: #008080;"> 50</span> <span style="color: #000000;">commonName </span><span style="color: #000000;">=</span><span style="color: #000000;"> supplied </span><span style="color: #008080;"> 51</span> <span style="color: #000000;">emailAddress </span><span style="color: #000000;">=</span><span style="color: #000000;"> optional </span><span style="color: #008080;"> 52</span> <span style="color: #000000;"> </span><span style="color: #008080;"> 53</span> <span style="color: #000000;">#################################################################### </span><span style="color: #008080;"> 54</span> <span style="color: #000000;"></span><span style="color: #800000; font-weight: bold;">[</span><span style="color: #800000;"> req </span><span style="color: #800000; font-weight: bold;">]</span><span style="color: #000000;"> </span><span style="color: #008080;"> 55</span> <span style="color: #000000;">default_bits </span><span style="color: #000000;">=</span><span style="color: #000000;"> </span><span style="color: #000000;">2048</span><span style="color: #000000;"> </span><span style="color: #008080;"> 56</span> <span style="color: #000000;">default_md </span><span style="color: #000000;">=</span><span style="color: #000000;"> sha256 </span><span style="color: #008080;"> 57</span> <span style="color: #000000;">default_keyfile </span><span style="color: #000000;">=</span><span style="color: #000000;"> privkey.pem </span><span style="color: #008080;"> 58</span> <span style="color: #000000;">distinguished_name </span><span style="color: #000000;">=</span><span style="color: #000000;"> req_distinguished_name </span><span style="color: #008080;"> 59</span> <span style="color: #000000;">attributes </span><span style="color: #000000;">=</span><span style="color: #000000;"> req_attributes </span><span style="color: #008080;"> 60</span> <span style="color: #000000;"> </span><span style="color: #008080;"> 61</span> <span style="color: #000000;"># This sets a mask for permitted string types. There are several options. </span><span style="color: #008080;"> 62</span> <span style="color: #000000;"># default: PrintableString</span><span style="color: #000000;">,</span><span style="color: #000000;"> T61String</span><span style="color: #000000;">,</span><span style="color: #000000;"> BMPString. </span><span style="color: #008080;"> 63</span> <span style="color: #000000;"># pkix : PrintableString</span><span style="color: #000000;">,</span><span style="color: #000000;"> BMPString (PKIX recommendation before </span><span style="color: #000000;">2004</span><span style="color: #000000;">) </span><span style="color: #008080;"> 64</span> <span style="color: #000000;"># utf8only: only UTF8Strings (PKIX recommendation after </span><span style="color: #000000;">2004</span><span style="color: #000000;">). </span><span style="color: #008080;"> 65</span> <span style="color: #000000;"># nombstr : PrintableString</span><span style="color: #000000;">,</span><span style="color: #000000;"> T61String (no BMPStrings or UTF8Strings). </span><span style="color: #008080;"> 66</span> <span style="color: #000000;"># MASK:XXXX a literal mask value. </span><span style="color: #008080;"> 67</span> <span style="color: #000000;"># WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. </span><span style="color: #008080;"> 68</span> <span style="color: #000000;">string_mask </span><span style="color: #000000;">=</span><span style="color: #000000;"> pkix </span><span style="color: #008080;"> 69</span> <span style="color: #000000;"> </span><span style="color: #008080;"> 70</span> <span style="color: #000000;"></span><span style="color: #800000; font-weight: bold;">[</span><span style="color: #800000;"> req_distinguished_name </span><span style="color: #800000; font-weight: bold;">]</span><span style="color: #000000;"> </span><span style="color: #008080;"> 71</span> <span style="color: #000000;">countryName </span><span style="color: #000000;">=</span><span style="color: #000000;"> Country Name (</span><span style="color: #000000;">2</span><span style="color: #000000;"> letter code) </span><span style="color: #008080;"> 72</span> <span style="color: #000000;">countryName_default </span><span style="color: #000000;">=</span><span style="color: #000000;"> DE </span><span style="color: #008080;"> 73</span> <span style="color: #000000;">countryName_min </span><span style="color: #000000;">=</span><span style="color: #000000;"> </span><span style="color: #000000;">2</span><span style="color: #000000;"> </span><span style="color: #008080;"> 74</span> <span style="color: #000000;">countryName_max </span><span style="color: #000000;">=</span><span style="color: #000000;"> </span><span style="color: #000000;">2</span><span style="color: #000000;"> </span><span style="color: #008080;"> 75</span> <span style="color: #000000;"> </span><span style="color: #008080;"> 76</span> <span style="color: #000000;">stateOrProvinceName </span><span style="color: #000000;">=</span><span style="color: #000000;"> State or Province Name (full name) </span><span style="color: #008080;"> 77</span> <span style="color: #000000;"> </span><span style="color: #008080;"> 78</span> <span style="color: #000000;">localityName </span><span style="color: #000000;">=</span><span style="color: #000000;"> Locality Name (eg</span><span style="color: #000000;">,</span><span style="color: #000000;"> city) </span><span style="color: #008080;"> 79</span> <span style="color: #000000;">localityName_default </span><span style="color: #000000;">=</span><span style="color: #000000;"> Muenchen </span><span style="color: #008080;"> 80</span> <span style="color: #000000;"> </span><span style="color: #008080;"> 81</span> <span style="color: #000000;"></span><span style="color: #000000;">0</span><span style="color: #000000;">.organizationName </span><span style="color: #000000;">=</span><span style="color: #000000;"> Organization Name (eg</span><span style="color: #000000;">,</span><span style="color: #000000;"> company) </span><span style="color: #008080;"> 82</span> <span style="color: #000000;"></span><span style="color: #000000;">0</span><span style="color: #000000;">.organizationName_default </span><span style="color: #000000;">=</span><span style="color: #000000;"> opitz-consulting </span><span style="color: #008080;"> 83</span> <span style="color: #000000;"> </span><span style="color: #008080;"> 84</span> <span style="color: #000000;">organizationalUnitName </span><span style="color: #000000;">=</span><span style="color: #000000;"> Organizational Unit Name (eg</span><span style="color: #000000;">,</span><span style="color: #000000;"> section) </span><span style="color: #008080;"> 85</span> <span style="color: #000000;">organizationalUnitName_default </span><span style="color: #000000;">=</span><span style="color: #000000;"> IT Department </span><span style="color: #008080;"> 86</span> <span style="color: #000000;"> </span><span style="color: #008080;"> 87</span> <span style="color: #000000;">commonName </span><span style="color: #000000;">=</span><span style="color: #000000;"> Common Name (eg</span><span style="color: #000000;">,</span><span style="color: #000000;"> your name or your server\'s hostname) </span><span style="color: #008080;"> 88</span> <span style="color: #000000;">commonName_max </span><span style="color: #000000;">=</span><span style="color: #000000;"> </span><span style="color: #000000;">64</span><span style="color: #000000;"> </span><span style="color: #008080;"> 89</span> <span style="color: #000000;"> </span><span style="color: #008080;"> 90</span> <span style="color: #000000;">emailAddress </span><span style="color: #000000;">=</span><span style="color: #000000;"> Email Address </span><span style="color: #008080;"> 91</span> <span style="color: #000000;">emailAddress_max </span><span style="color: #000000;">=</span><span style="color: #000000;"> </span><span style="color: #000000;">64</span><span style="color: #000000;"> </span><span style="color: #008080;"> 92</span> <span style="color: #000000;"> </span><span style="color: #008080;"> 93</span> <span style="color: #000000;"></span><span style="color: #800000; font-weight: bold;">[</span><span style="color: #800000;"> req_attributes </span><span style="color: #800000; font-weight: bold;">]</span><span style="color: #000000;"> </span><span style="color: #008080;"> 94</span> <span style="color: #000000;">challengePassword </span><span style="color: #000000;">=</span><span style="color: #000000;"> A challenge password </span><span style="color: #008080;"> 95</span> <span style="color: #000000;">challengePassword_min </span><span style="color: #000000;">=</span><span style="color: #000000;"> </span><span style="color: #000000;">4</span><span style="color: #000000;"> </span><span style="color: #008080;"> 96</span> <span style="color: #000000;">challengePassword_max </span><span style="color: #000000;">=</span><span style="color: #000000;"> </span><span style="color: #000000;">20</span><span style="color: #000000;"> </span><span style="color: #008080;"> 97</span> <span style="color: #000000;"> </span><span style="color: #008080;"> 98</span> <span style="color: #000000;">unstructuredName </span><span style="color: #000000;">=</span><span style="color: #000000;"> An optional company name </span><span style="color: #008080;"> 99</span> <span style="color: #000000;"> </span><span style="color: #008080;">100</span> <span style="color: #000000;">#################################################################### </span><span style="color: #008080;">101</span> <span style="color: #000000;"></span><span style="color: #800000; font-weight: bold;">[</span><span style="color: #800000;"> root_ca_extensions </span><span style="color: #800000; font-weight: bold;">]</span><span style="color: #000000;"> </span><span style="color: #008080;">102</span> <span style="color: #000000;"># This (basicConstraints </span><span style="color: #000000;">=</span><span style="color: #000000;"> critical</span><span style="color: #000000;">,</span><span style="color: #000000;">CA:true) is what PKIX recommends but some broken software chokes on critical extensions. So we do this instead: </span><span style="color: #008080;">103</span> <span style="color: #000000;">basicConstraints </span><span style="color: #000000;">=</span><span style="color: #000000;"> CA:true </span><span style="color: #008080;">104</span> <span style="color: #000000;"> </span><span style="color: #008080;">105</span> <span style="color: #000000;"># Key usage: this is typical for a CA certificate. However since it will </span><span style="color: #008080;">106</span> <span style="color: #000000;"># prevent it being used as an test self-signed certificate it is best </span><span style="color: #008080;">107</span> <span style="color: #000000;"># left out by default. </span><span style="color: #008080;">108</span> <span style="color: #000000;">keyUsage </span><span style="color: #000000;">=</span><span style="color: #000000;"> keyCertSign</span><span style="color: #000000;">,</span><span style="color: #000000;"> cRLSign </span><span style="color: #008080;">109</span> <span style="color: #000000;"> </span><span style="color: #008080;">110</span> <span style="color: #000000;"># PKIX recommendations harmless if included in all certificates. </span><span style="color: #008080;">111</span> <span style="color: #000000;">subjectKeyIdentifier </span><span style="color: #000000;">=</span><span style="color: #000000;"> hash </span><span style="color: #008080;">112</span> <span style="color: #000000;">authorityKeyIdentifier </span><span style="color: #000000;">=</span><span style="color: #000000;"> keyid:always</span><span style="color: #000000;">,</span><span style="color: #000000;">issuer </span><span style="color: #008080;">113</span> <span style="color: #000000;"> </span><span style="color: #008080;">114</span> <span style="color: #000000;"> </span><span style="color: #008080;">115</span> <span style="color: #000000;">#################################################################### </span><span style="color: #008080;">116</span> <span style="color: #000000;"></span><span style="color: #800000; font-weight: bold;">[</span><span style="color: #800000;"> client_ca_extensions </span><span style="color: #800000; font-weight: bold;">]</span><span style="color: #000000;"> </span><span style="color: #008080;">117</span> <span style="color: #000000;"># This goes against PKIX guidelines but some CAs do it and some software </span><span style="color: #008080;">118</span> <span style="color: #000000;"># requires this to avoid interpreting an end user certificate as a CA. </span><span style="color: #008080;">119</span> <span style="color: #000000;">basicConstraints </span><span style="color: #000000;">=</span><span style="color: #000000;"> CA:false </span><span style="color: #008080;">120</span> <span style="color: #000000;"> </span><span style="color: #008080;">121</span> <span style="color: #000000;"># This is typical in keyUsage for a client certificate. </span><span style="color: #008080;">122</span> <span style="color: #000000;">keyUsage </span><span style="color: #000000;">=</span><span style="color: #000000;"> keyEncipherment</span><span style="color: #000000;">,</span><span style="color: #000000;">nonRepudiation</span><span style="color: #000000;">,</span><span style="color: #000000;">digitalSignature</span><span style="color: #000000;">,</span><span style="color: #000000;">keyAgreement </span><span style="color: #008080;">123</span> <span style="color: #000000;"> </span><span style="color: #008080;">124</span> <span style="color: #000000;"># This is required for TSA certificates. </span><span style="color: #008080;">125</span> <span style="color: #000000;"># extendedKeyUsage </span><span style="color: #000000;">=</span><span style="color: #000000;"> critical</span><span style="color: #000000;">,</span><span style="color: #000000;">timeStamping </span><span style="color: #008080;">126</span> <span style="color: #000000;">extendedKeyUsage </span><span style="color: #000000;">=</span><span style="color: #000000;"> </span><span style="color: #000000;">1.3.6.1.5.5.7.3.1</span><span style="color: #000000;">,</span><span style="color: #000000;">1.3.6.1.5.5.7.3.2</span><span style="color: #000000;"> </span><span style="color: #008080;">127</span> <span style="color: #000000;"> </span><span style="color: #008080;">128</span> <span style="color: #000000;"># PKIX recommendations harmless if included in all certificates. </span><span style="color: #008080;">129</span> <span style="color: #000000;">subjectKeyIdentifier </span><span style="color: #000000;">=</span><span style="color: #000000;">hash </span><span style="color: #008080;">130</span> <span style="color: #000000;">authorityKeyIdentifier </span><span style="color: #000000;">=</span><span style="color: #000000;">keyid</span><span style="color: #000000;">,</span><span style="color: #000000;">issuer </span><span style="color: #008080;">131</span> <span style="color: #000000;"> </span><span style="color: #008080;">132</span> <span style="color: #000000;"> </span><span style="color: #008080;">133</span> <span style="color: #000000;">#################################################################### </span><span style="color: #008080;">134</span> <span style="color: #000000;"></span><span style="color: #800000; font-weight: bold;">[</span><span style="color: #800000;"> server_ca_extensions </span><span style="color: #800000; font-weight: bold;">]</span><span style="color: #000000;"> </span><span style="color: #008080;">135</span> <span style="color: #000000;"># This goes against PKIX guidelines but some CAs do it and some software </span><span style="color: #008080;">136</span> <span style="color: #000000;"># requires this to avoid interpreting an end user certificate as a CA. </span><span style="color: #008080;">137</span> <span style="color: #000000;">basicConstraints </span><span style="color: #000000;">=</span><span style="color: #000000;"> CA:false </span><span style="color: #008080;">138</span> <span style="color: #000000;"> </span><span style="color: #008080;">139</span> <span style="color: #000000;"># This is typical in keyUsage for a host certificate. </span><span style="color: #008080;">140</span> <span style="color: #000000;">keyUsage </span><span style="color: #000000;">=</span><span style="color: #000000;"> keyEncipherment</span><span style="color: #000000;">,</span><span style="color: #000000;">nonRepudiation</span><span style="color: #000000;">,</span><span style="color: #000000;">digitalSignature</span><span style="color: #000000;">,</span><span style="color: #000000;">keyAgreement </span><span style="color: #008080;">141</span> <span style="color: #000000;"> </span><span style="color: #008080;">142</span> <span style="color: #000000;"># This is required for TSA certificates. </span><span style="color: #008080;">143</span> <span style="color: #000000;"># extendedKeyUsage </span><span style="color: #000000;">=</span><span style="color: #000000;"> critical</span><span style="color: #000000;">,</span><span style="color: #000000;">timeStamping </span><span style="color: #008080;">144</span> <span style="color: #000000;">extendedKeyUsage </span><span style="color: #000000;">=</span><span style="color: #000000;"> </span><span style="color: #000000;">1.3.6.1.5.5.7.3.1</span><span style="color: #000000;">,</span><span style="color: #000000;">1.3.6.1.5.5.7.3.2</span><span style="color: #000000;"> </span><span style="color: #008080;">145</span> <span style="color: #000000;"> </span><span style="color: #008080;">146</span> <span style="color: #000000;"># PKIX recommendations harmless if included in all certificates. </span><span style="color: #008080;">147</span> <span style="color: #000000;">subjectKeyIdentifier </span><span style="color: #000000;">=</span><span style="color: #000000;"> hash </span><span style="color: #008080;">148</span> <span style="color: #000000;">authorityKeyIdentifier </span><span style="color: #000000;">=</span><span style="color: #000000;"> keyid</span><span style="color: #000000;">,</span><span style="color: #000000;">issuer </span><span style="color: #008080;">149</span> <span style="color: #000000;"> </span><span style="color: #008080;">150</span> <span style="color: #000000;"> </span></div> |
In the first section CA_default the location of different files is described. The line ‘default_ca = CA_default’ is an inclusion of the CA_default extension.
If unique_subject = no is commented out, it is necessary to revoke every old certificate until a new one with the same subject can be generated.
The value default_days = 365 issues by default certificates with the validity of a year.
The extension policy_match defines how certificate requests to be signed by this CA must be. It is activated by the line ‘policy = policy_match’.
Next one is the extension req. It will be activated if we are creating a certificate signing request. We set the default rsa key length to 2048 bit and the default algorithm to SHA-2.
With req_distinguished_name we set up the defaults for the CN and the other attributes of the certificate.
After that I decided to create three different extensions for the three different use cases: root_ca_extensions, client_ca_extensions and server_ca_extensions. The used extension is selected during the signing of the csr.
In my first tries the client_ca_extensions and server_ca_extensions had different extendedKeyUsage settings: 1.3.6.1.5.5.7.3.2 for the client and 1.3.6.1.5.5.7.3.1 for the server. In my opinion this should be enough, but I later found some unexpected behaviors on one system perhaps triggered by this so I didn’t do further research and added both key usages to both certificates.
For the field keyUsage I found a good describing comment on stackexchange. To sum up: Needed usages depends on the cipher suite, that’s why it is recommend to add all 4.
Creating the CA key and self signing the CA certificate
First we generate the private key of the root CA and store it encrypted in a file:
1 2 3 4 5 6 |
<div><!-- Code highlighting produced by Actipro CodeHighlighter (freeware) http://www.CodeHighlighter.com/ --><span style="color: #008080;">1</span> <span style="color: #000000;"> openssl genrsa -out ${ROOT_CA_KEY} </span><span style="color: #000000;">4096</span><span style="color: #000000;"> -des3</span></div> |
ROOT_CA_KEY is the encrypted private key file of the root certificate of the CA.
The second step is to create the certificate of the root CA:
1 2 3 4 5 6 |
<div><!-- Code highlighting produced by Actipro CodeHighlighter (freeware) http://www.CodeHighlighter.com/ --><span style="color: #008080;">1</span> <span style="color: #000000;">openssl req -x509 -new -days </span><span style="color: #000000;">3650</span><span style="color: #000000;"> -md sha256 -config /etc/pki/tls/openssl.cnf -extensions root_ca_extensions -key ${ROOT_CA_KEY} -out ${ROOT_CA_CRT} -passin pass:${ROOT_CA_PWD}</span></div> |
ROOT_CA_PWD is the password for the private key of the root certificate.
ROOT_CA_CRT is the root certificate of the CA.
Now our CA is ready to create certificates with associated private keys and signing certificate signing requests.
Creating a client certificate with the associated private key
I have implemented for all three use cases the same two steps, even if they could be combined or are not necessary in some cases:
- Create a certificate signing request and a private key (file extensions csr and key)
- Signing the certificate signing request and generating the certificate (file extension crt)
In many examples the private key file and the certificate file use the extension pem. I prefer the extensions key and crt to make it more clear, what is inside the file.
In this use case we create the csr and the key with the command:
1 2 3 4 5 6 |
<div><!-- Code highlighting produced by Actipro CodeHighlighter (freeware) http://www.CodeHighlighter.com/ --><span style="color: #008080;">1</span> <span style="color: #000000;">openssl req -sha256 -days </span><span style="color: #000000;">365</span><span style="color: #000000;"> -newkey rsa:</span><span style="color: #000000;">2048</span><span style="color: #000000;"> -nodes -keyout ${KEY} -out ${CSR} -subj </span><span style="color: #000000;">"</span><span style="color: #000000;">/C=DE/L=Muenchen/OU=IT Department/O=opitz-consulting/CN=${CERT_CN}/emailAddress=${CERT_EMAIL}</span><span style="color: #000000;">"</span><span style="color: #000000;"> </span></div> |
KEY is the filename with path of the generated private key file
CSR is the filename with path of the generated certificate signing request file
CERT_CN is the identifier of the user/system using this client certificate. This could be e.g. Mister Someone or CRM.
CERT_EMAIL is the mail address of the user or using system.
The second step is to sign the csr and create the certificate:
1 2 3 4 5 6 |
<div><!-- Code highlighting produced by Actipro CodeHighlighter (freeware) http://www.CodeHighlighter.com/ --><span style="color: #008080;">1</span> <span style="color: #000000;">openssl ca -keyfile ${ROOT_CA_KEY} -cert ${ROOT_CA_CRT} -config /etc/pki/tls/openssl.cnf -extensions client_ca_extensions -notext -batch -days </span><span style="color: #000000;">365</span><span style="color: #000000;"> -md sha256 -in ${CSR} -out ${CRT} -passin pass:${ROOT_CA_PWD} </span></div> |
CRT is the filename with path of the generated certificate file
We use the client_ca_extensions for creating this certificate.
It is highly recommend not just to execute the two command on the shell. Instead the commands should be wrapped into shell script having only one or two parameters and defining the folders, filenames, pattern for naming and so on. Otherwise, especially if different employees are issuing certificates, the overview about the certificates will be lost very soon.
Creating a host certificate with the associated private key
In this use case we create the csr and the key with the command:
1 2 3 4 5 6 |
<div><!-- Code highlighting produced by Actipro CodeHighlighter (freeware) http://www.CodeHighlighter.com/ --><span style="color: #008080;">1</span> <span style="color: #000000;">openssl req -sha256 -days </span><span style="color: #000000;">365</span><span style="color: #000000;"> -newkey rsa:</span><span style="color: #000000;">2048</span><span style="color: #000000;"> -nodes -keyout ${KEY} -out ${CSR} -subj </span><span style="color: #000000;">"</span><span style="color: #000000;">/C=DE/L=Muenchen/OU=IT Department/O=opitz-consulting/CN=${CERT_CN}</span><span style="color: #000000;">"</span><span style="color: #000000;"> </span></div> |
KEY is the filename with path of the generated private key file
CSR is the filename with path of the generated certificate signing request file
CERT_CN is the full qualified hostname of the machine.
The second step is to sign the csr and create the certificate:
1 2 3 4 5 6 |
<div><!-- Code highlighting produced by Actipro CodeHighlighter (freeware) http://www.CodeHighlighter.com/ --><span style="color: #008080;">1</span> <span style="color: #000000;">openssl ca -keyfile ${ROOT_CA_KEY} -cert ${ROOT_CA_CRT} -config /etc/pki/tls/openssl.cnf -extensions server_ca_extensions -notext -batch -days </span><span style="color: #000000;">365</span><span style="color: #000000;"> -md sha256 -in ${CSR} -out ${CRT} -passin pass:${ROOT_CA_PWD} </span></div> |
CRT is the filename with path of the generated certificate file
We use the server_ca_extensions for creating this certificate.
Signing a host certificate request
In this use case the csr is created on an other system and provided for signing. Also the private key file associated to the certificate signing request stays on the other system and is not needed for the signing process. Only the second step is to sign the csr and create the certificate is excuted:
1 2 3 4 5 6 |
<div><!-- Code highlighting produced by Actipro CodeHighlighter (freeware) http://www.CodeHighlighter.com/ --><span style="color: #008080;">1</span> <span style="color: #000000;">openssl ca -keyfile ${ROOT_CA_KEY} -cert ${ROOT_CA_CRT} -config /etc/pki/tls/openssl.cnf -extensions server_ca_extensions -notext -batch -days </span><span style="color: #000000;">365</span><span style="color: #000000;"> -md sha256 -in ${CSR} -out ${CRT} -passin pass:${ROOT_CA_PWD} </span></div> |
CSR is the filename with path of the certificate signing request file provided
CRT is the filename with path of the generated certificate file
We use the server_ca_extensions for creating this certificate.
Bernhard Mähr @ OPITZ-CONSULTING published at http://thecattlecrew.wordpress.com/