(http://pintday.org/hack/crypto/ca.shtml)
Throughout this section, wherever you see 2048, that can be replaced with any bit count, though a power of two is preferred (e.g. 1024, 2048, etc) as most code is optimized to operate quickly on bit-aligned numbers. The higher the better, 2048 is usually the best balance between speed and security at the moment.
- Note: When creating DSA keys and certificates for webservers, be sure to choose a key size between 512 and 1024 bits. Firefox doesn't like 2048 bit DSA server keys.
- Note: When creating an RSA CA structure, do not create any keys larger than 8192 bits. Firefox complains with invalid signature.
- out specifies the file to write to.
des|-des3|-aes128|-aes192|-aes256 chooses the key encryption method. Pick one.
These will automatically prompt for a passphrase.
RSA key handling
- Generate unencrypted RSA key:
openssl genrsa -out server.key 2048
- Generate encrypted RSA key (with passphrase):
openssl genrsa -des|-des3|-aes128|-aes192|-aes256 -out server.key 2048
- Encrypt an existing RSA key
openssl rsa -in server.key -des|-des3|-aes128|-aes192|-aes256 -out server-encrpyted.key
- Decrpyt an existing RSA key
openssl rsa -in server.key server-decrypted.key
DSA Key Handling
- Generate DSA parameters (Can be used to generate multiple keys):
openssl dsaparam -out dsaparm.prm 2048
- Generate unencrypted DSA key (requires DSA parameters):
openssl gendsa -out server.key dsaparm.prm
- Generate encrypted DSA key (requires DSA parameters):
openssl gendsa -des|-des3|-aes128|-aes192|-aes256 -out server.key dsaparm.prm
- Encrypt an existing DSA key
openssl dsa -in server.key -des|-des3|-aes128|-aes192|-aes256 -out server-encrpyted.key
- Decrypt an existing DSA key
openssl dsa -in server.key server-decrypted.key
Certificate Handling
- Generate self-signed certificate from an existing key:
openssl req -new -x509 -nodes -sha256 -days 365 -key server.key -out server.crt
- Generate a self-signed certificate and a brand new key all at once:
openssl req -new -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -keyout server.key -out server.crt
- Generate a CA-style root certificate:
openssl req -config ca.conf -days 3650 -x509 -newkey rsa:8192 -out certauth.crt -outform PEM
Make sure you set up a proper path structure and root_ca_distinguished_name in ca.conf beforehand, or else strange things may occur.
- Generate signing request:
openssl req -new -key server.key -out server.csr
- Sign certificate request with CA:
openssl ca -config ca.conf -in server.csr -out server.crt (-extensions <policy>)
- Single-file PEM-encoded certificates:
cat server.key server.crt > server.pem
- Browser-compatible client certificate
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
- Initilize a Certificate Authority:
- (These correspond to the paths and files set in the local_ca section of ca.conf
# create the serial file echo "00" > serial # create the index file touch index.txt # create and secure the CA private key subdir -- Put the CA private key in here. mkdir private && chmod 700 private # create the hashdir to hold all the certificates signed by this CA (for recovery and revocation purposes) mkdir certs
Certificate Revocation Lists (CRLs)
- Certificate revocations:
openssl ca -config ca.conf -revoke client.crt openssl ca -config ca.conf -gencrl -out ca.crl
Makefiles for Apache hash directories
Makefile.crt
Makefile.crl
Makefile for CA batch signing and CSR generation
Makefile
Another ca.conf
Sample ca.conf:
# # Default configuration to use when one # is not provided on the command line. # [ ca ] default_ca = local_ca # # Default location of directories and # files needed to generate certificates. # [ local_ca ] dir = /usr/www/CertAuth certificate = $dir/cacert.pem database = $dir/index.txt new_certs_dir = $dir/certs private_key = $dir/private/cakey.pem serial = $dir/serial # # Default expiration and encryption # policies for certificates. # default_crl_days = 365 default_days = 1825 default_md = md5 policy = local_ca_policy x509_extensions = local_ca_extensions # # Default policy to use when generating # server certificates. The following # fields must be defined in the server # certificate. # [ local_ca_policy ] commonName = supplied stateOrProvinceName = supplied countryName = supplied emailAddress = supplied organizationName = supplied organizationalUnitName = optional # # x509 extensions to use when generating # server certificates. # [ local_ca_extensions ] #subjectAltName = DNS:altname.somewhere.com basicConstraints = CA:false nsCertType = server # # The default policy to use when # generating the root certificate. # [ req ] default_bits = 2048 default_keyfile = /usr/www/CertAuth/privkey.pem default_md = md5 prompt = no distinguished_name = root_ca_distinguished_name x509_extensions = root_ca_extensions # # Root Certificate Authority distin- # guished name. Changes these fields to # your local environment. # [ root_ca_distinguished_name ] commonName = CyberLeo.Net stateOrProvinceName = Wisconsin countryName = US emailAddress = cyberleo@cyberleo.net organizationName = CyberLeo.Net [ root_ca_extensions ] basicConstraints = CA:true [ protomuck ] basicConstraints = CA:false nsCertType = server [ server ] basicConstraints = CA:false nsCertType = server [ client ] basicConstraints = CA:false nsCertType = client