CDNWiki - View Source: OpenSSL

(http://pintday.org/hack/crypto/ca.shtml)

Throughout this section, wherever you see 2048, that can be replaced with any bit count, though a power of two is preferred (e.g. 1024, 2048, etc) as most code is optimized to operate quickly on bit-aligned numbers. The higher the better, 2048 is usually the best balance between speed and security at the moment.

* Note: When creating DSA keys and certificates for webservers, be sure to choose a key size between 512 and 1024 bits. Firefox doesn't like 2048 bit DSA server keys.
* Note: When creating an RSA CA structure, do not create any keys larger than 8192 bits. Firefox complains with invalid signature.

-out specifies the file to write to.<br>
-des|-des3|-aes128|-aes192|-aes256 chooses the key encryption method. Pick one.<br>
  These will automatically prompt for a passphrase.<br>

----
*RSA* *key* *handling*

* Generate unencrypted RSA key:
<verbatim>
openssl genrsa -out server.key 2048
</verbatim>

* Generate encrypted RSA key (with passphrase):
<verbatim>
openssl genrsa -des|-des3|-aes128|-aes192|-aes256 -out server.key 2048
</verbatim>

* Encrypt an existing RSA key
<verbatim>
openssl rsa -in server.key -des|-des3|-aes128|-aes192|-aes256 -out server-encrpyted.key
</verbatim>

* Decrpyt an existing RSA key
<verbatim>
openssl rsa -in server.key server-decrypted.key
</verbatim>

*DSA* *Key* *Handling*

* Generate DSA parameters (Can be used to generate multiple keys):
<verbatim>
openssl dsaparam -out dsaparm.prm 2048
</verbatim>

* Generate unencrypted DSA key (requires DSA parameters):
<verbatim>
openssl gendsa -out server.key dsaparm.prm
</verbatim>

* Generate encrypted DSA key (requires DSA parameters):
<verbatim>
openssl gendsa -des|-des3|-aes128|-aes192|-aes256 -out server.key dsaparm.prm
</verbatim>

* Encrypt an existing DSA key
<verbatim>
openssl dsa -in server.key -des|-des3|-aes128|-aes192|-aes256 -out server-encrpyted.key
</verbatim>

* Decrypt an existing DSA key
<verbatim>
openssl dsa -in server.key server-decrypted.key
</verbatim>

*Certificate* *Handling*

* Generate self-signed certificate from an existing key:
<verbatim>
openssl req -new -x509 -nodes -sha256 -days 365 -key server.key -out server.crt
</verbatim>

* Generate a self-signed certificate and a brand new key all at once:
<verbatim>
openssl req -new -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -keyout server.key -out server.crt
</verbatim>

* Generate a CA-style root certificate:
<verbatim>
openssl req -config ca.conf -days 3650 -x509 -newkey rsa:8192 -out certauth.crt -outform PEM
</verbatim>
<sub>Make sure you set up a proper path structure and root_ca_distinguished_name in ca.conf beforehand, or else strange things may occur.</sub>

* Generate signing request:
<verbatim>
openssl req -new -key server.key -out server.csr
</verbatim>

* Sign certificate request with CA:
<verbatim>
openssl ca -config ca.conf -in server.csr -out server.crt (-extensions <policy>)
</verbatim>

* Single-file PEM-encoded certificates:
<verbatim>
cat server.key server.crt > server.pem
</verbatim>

* Browser-compatible client certificate
<verbatim>
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
</verbatim>

* Initilize a Certificate Authority:<br>
* (These correspond to the paths and files set in the local_ca section of ca.conf
<verbatim>
# create the serial file
echo "00" > serial
# create the index file
touch index.txt
# create and secure the CA private key subdir -- Put the CA private key in here.
mkdir private && chmod 700 private
# create the hashdir to hold all the certificates signed by this CA (for recovery and revocation purposes)
mkdir certs
</verbatim>

*Certificate* *Revocation* *Lists* *(CRLs)*

* Certificate revocations:
<verbatim>
openssl ca -config ca.conf -revoke client.crt
openssl ca -config ca.conf -gencrl -out ca.crl
</verbatim>

*Makefiles* *for* *Apache* *hash* *directories* <br>
[Makefile.crt|OpenSSL/Makefile.crt]<br>
[Makefile.crl|OpenSSL/Makefile.crl]<br>

*Makefile* *for* *CA* *batch* *signing* *and* *CSR* *generation* <br>
[Makefile|OpenSSL/Makefile]<br>

Another [ca.conf|OpenSSL/ca.conf]

Sample ca.conf:
<verbatim>
#
# Default configuration to use  when one
# is not provided on the command line.
#
[ ca ]
default_ca      = local_ca

#
# Default location  of  directories  and
# files needed to generate certificates.
#
[ local_ca ]
dir             = /usr/www/CertAuth
certificate     = $dir/cacert.pem
database        = $dir/index.txt
new_certs_dir   = $dir/certs
private_key     = $dir/private/cakey.pem
serial          = $dir/serial

#
# Default   expiration   and  encryption
# policies for certificates.
#
default_crl_days        = 365
default_days            = 1825
default_md              = md5

policy          = local_ca_policy
x509_extensions = local_ca_extensions

#
# Default policy to use  when generating
# server   certificates.  The  following
# fields  must  be defined in the server
# certificate.
#
[ local_ca_policy ]
commonName              = supplied
stateOrProvinceName     = supplied
countryName             = supplied
emailAddress            = supplied
organizationName        = supplied
organizationalUnitName  = optional

#
# x509 extensions to use when generating
# server certificates.
#
[ local_ca_extensions ]
#subjectAltName          = DNS:altname.somewhere.com
basicConstraints        = CA:false
nsCertType              = server

#
# The   default   policy   to  use  when
# generating the root certificate.
#
[ req ]
default_bits    = 2048
default_keyfile = /usr/www/CertAuth/privkey.pem
default_md      = md5

prompt                  = no
distinguished_name      = root_ca_distinguished_name
x509_extensions         = root_ca_extensions

#
# Root  Certificate  Authority   distin-
# guished name.  Changes these fields to
# your local environment.
#
[ root_ca_distinguished_name ]
commonName              = CyberLeo.Net
stateOrProvinceName     = Wisconsin
countryName             = US
emailAddress            = cyberleo@cyberleo.net
organizationName        = CyberLeo.Net

[ root_ca_extensions ]
basicConstraints        = CA:true

[ protomuck ]
basicConstraints        = CA:false
nsCertType              = server

[ server ]
basicConstraints        = CA:false
nsCertType              = server

[ client ]
basicConstraints        = CA:false
nsCertType              = client
</verbatim>