(http://pintday.org/hack/crypto/ca.shtml)

Throughout this section, wherever you see 2048, that can be replaced with any bit count, though a power of two is preferred (e.g. 1024, 2048, etc) as most code is optimized to operate quickly on bit-aligned numbers. The higher the better, 2048 is usually the best balance between speed and security at the moment.

  • Note: When creating DSA keys and certificates for webservers, be sure to choose a key size between 512 and 1024 bits. Firefox doesn't like 2048 bit DSA server keys.
  • Note: When creating an RSA CA structure, do not create any keys larger than 8192 bits. Firefox complains with invalid signature.
  • out specifies the file to write to.
  • des|-des3|-aes128|-aes192|-aes256 chooses the key encryption method. Pick one.

    These will automatically prompt for a passphrase.


RSA key handling

  • Generate unencrypted RSA key:
openssl genrsa -out server.key 2048
  • Generate encrypted RSA key (with passphrase):
openssl genrsa -des|-des3|-aes128|-aes192|-aes256 -out server.key 2048
  • Encrypt an existing RSA key
openssl rsa -in server.key -des|-des3|-aes128|-aes192|-aes256 -out server-encrpyted.key
  • Decrpyt an existing RSA key
openssl rsa -in server.key server-decrypted.key

DSA Key Handling

  • Generate DSA parameters (Can be used to generate multiple keys):
openssl dsaparam -out dsaparm.prm 2048
  • Generate unencrypted DSA key (requires DSA parameters):
openssl gendsa -out server.key dsaparm.prm
  • Generate encrypted DSA key (requires DSA parameters):
openssl gendsa -des|-des3|-aes128|-aes192|-aes256 -out server.key dsaparm.prm
  • Encrypt an existing DSA key
openssl dsa -in server.key -des|-des3|-aes128|-aes192|-aes256 -out server-encrpyted.key
  • Decrypt an existing DSA key
openssl dsa -in server.key server-decrypted.key

Certificate Handling

  • Generate self-signed certificate from an existing key:
openssl req -new -x509 -nodes -sha256 -days 365 -key server.key -out server.crt
  • Generate a self-signed certificate and a brand new key all at once:
openssl req -new -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -keyout server.key -out server.crt
  • Generate a CA-style root certificate:
openssl req -config ca.conf -days 3650 -x509 -newkey rsa:8192 -out certauth.crt -outform PEM

Make sure you set up a proper path structure and root_ca_distinguished_name in ca.conf beforehand, or else strange things may occur.

  • Generate signing request:
openssl req -new -key server.key -out server.csr
  • Sign certificate request with CA:
openssl ca -config ca.conf -in server.csr -out server.crt (-extensions <policy>)
  • Single-file PEM-encoded certificates:
cat server.key server.crt > server.pem
  • Browser-compatible client certificate
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
  • Initilize a Certificate Authority:
  • (These correspond to the paths and files set in the local_ca section of ca.conf
# create the serial file
echo "00" > serial
# create the index file
touch index.txt
# create and secure the CA private key subdir -- Put the CA private key in here.
mkdir private && chmod 700 private
# create the hashdir to hold all the certificates signed by this CA (for recovery and revocation purposes)
mkdir certs

Certificate Revocation Lists (CRLs)

  • Certificate revocations:
openssl ca -config ca.conf -revoke client.crt
openssl ca -config ca.conf -gencrl -out ca.crl

Makefiles for Apache hash directories
Makefile.crt
Makefile.crl

Makefile for CA batch signing and CSR generation
Makefile

Another ca.conf

Sample ca.conf:

#
# Default configuration to use  when one
# is not provided on the command line.
#
[ ca ]
default_ca      = local_ca

#
# Default location  of  directories  and
# files needed to generate certificates.
#
[ local_ca ]
dir             = /usr/www/CertAuth
certificate     = $dir/cacert.pem
database        = $dir/index.txt
new_certs_dir   = $dir/certs
private_key     = $dir/private/cakey.pem
serial          = $dir/serial

#
# Default   expiration   and  encryption
# policies for certificates.
#
default_crl_days        = 365
default_days            = 1825
default_md              = md5

policy          = local_ca_policy
x509_extensions = local_ca_extensions

#
# Default policy to use  when generating
# server   certificates.  The  following
# fields  must  be defined in the server
# certificate.
#
[ local_ca_policy ]
commonName              = supplied
stateOrProvinceName     = supplied
countryName             = supplied
emailAddress            = supplied
organizationName        = supplied
organizationalUnitName  = optional

#
# x509 extensions to use when generating
# server certificates.
#
[ local_ca_extensions ]
#subjectAltName          = DNS:altname.somewhere.com
basicConstraints        = CA:false
nsCertType              = server

#
# The   default   policy   to  use  when
# generating the root certificate.
#
[ req ]
default_bits    = 2048
default_keyfile = /usr/www/CertAuth/privkey.pem
default_md      = md5

prompt                  = no
distinguished_name      = root_ca_distinguished_name
x509_extensions         = root_ca_extensions

#
# Root  Certificate  Authority   distin-
# guished name.  Changes these fields to
# your local environment.
#
[ root_ca_distinguished_name ]
commonName              = CyberLeo.Net
stateOrProvinceName     = Wisconsin
countryName             = US
emailAddress            = cyberleo@cyberleo.net
organizationName        = CyberLeo.Net

[ root_ca_extensions ]
basicConstraints        = CA:true

[ protomuck ]
basicConstraints        = CA:false
nsCertType              = server

[ server ]
basicConstraints        = CA:false
nsCertType              = server

[ client ]
basicConstraints        = CA:false
nsCertType              = client