Заголовки

Календарь

Май

M	T	W	T	F	S	S
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

How to setup CA (certificate authority)

If you want a full-blown official SSL certificate for your site, you can buy it from commercial companies like Thawte or VeriSign, or request free certificate from CAcert or StartSSL (the latter, BTW, has its root certificate by default added in Internet Explorer and Firefox). However, the cheapest and fastest option is to run an own certificate authority. Here we go!

Setup CA directory and initial contents

cd /etc/pki
mkdir -p ca/private
chmod 700 ca/private
rm -rf CA
ln -s ca CA
cd ca
echo 1001 > ca.srl
mkdir crl certs newcerts
touch index.txt crl.pem

Create configuration files for requests and CA signing

cat > ca.conf
cat > req.conf
chmod 600 ca.conf req.conf

Edit ca.conf (section [root_ca_distinguished_name]) and req.conf (section [req_distinguished_name], default values) and substitute your parameters:

countryName         = RU
stateOrProvinceName = Moscow
localityName        = Moscow
0.organizationName  = Our Dom Msk
name                = Our Dom
emailAddress        = postmaster@ourdom.com

In CA configuration also substitute

commonName             = Our Dom CA
organizationalUnitName = Certificate Authority

Create signing script

cat > /etc/pki/ca/auto-sign
chmod 700 /etc/pki/ca/auto-sign

Create private key and self-signed certificate

$ openssl genrsa -des3 -out private/ca.key 2048
Enter pass phrase for private/ca.key: pass123

$ openssl req -new -key private/ca.key -x509 -days 3652 -out ca.crt -config ca.conf
Enter pass phrase for private/ca.key: pass123

Create text annotation, DER encoding and fingerprint of the certificate

openssl x509 -in ca.crt -text > ca.txt.crt
openssl x509 -inform PEM -outform DER -in ca.crt -out ca.der
openssl x509 -fingerprint -sha1 -noout -in ca.crt > ca.fgp

Proceed to sections mentioned as "Related links" to configure SSL in web, mail or other services.

ourdom-ca.conf

# OpenSSL configuration file for custom Certificate Authority. Use a
# different openssl.cnf file to generate certificate signing requests;
# this one is for use only in Certificate Authority operations (csr ->
# cert, cert revocation, revocation list generation).
#
# Be sure to customize this file prior to use, e.g. the commonName and
# other options under the root_ca_distinguished_name section.
#
# http://sial.org/howto/openssl/ca/
# http://www.openssl.org/docs/apps/ca.html

#HOME                    = .
#RANDFILE                = $ENV::HOME/.rnd

[ ca ]
default_ca      = Our_CA

[ Our_CA ]
dir             = .
# unsed at present, and my limited certs can be kept in current dir
certs          = $dir/certs
new_certs_dir  = $dir/newcerts
crl_dir         = $dir/crl
database        = $dir/index.txt
certificate     = $dir/ca.crt
serial          = $dir/ca.srl
crl             = $dir/crl.pem
private_key     = $dir/private/ca.key
RANDFILE        = $dir/private/.rand

x509_extensions = usr_cert

# Make new requests easier to sign - allow two subjects with same name
# (Or revoke the old certificate first.)
unique_subject  = no

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt        = ca_default
cert_opt        = ca_default

default_crl_days= 30
default_days    = 3652
# if need to be compatible with older software, use weaker md5
default_md      = sha1
# MSIE may need following set to yes?
preserve        = no

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy          = policy_match

# For the CA policy
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

####################################################################
[ req ]
default_bits            = 2048
default_keyfile         = ./private/ca-key.pem
default_md              = sha1

prompt                  = no
distinguished_name      = root_ca_distinguished_name

x509_extensions = v3_ca

# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret

# This sets a mask for permitted string types. There are several options. 
# default: PrintableString, T61String, BMPString.
# pkix   : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr

# req_extensions = v3_req

[ root_ca_distinguished_name ]
commonName        = Our Dom CA
countryName        = RU
stateOrProvinceName    = Moscow
localityName        = Moscow
0.organizationName    = Our Dom Msk
organizationalUnitName    = Certificate Authority
name            = Our Dom
emailAddress        = postmaster@ourdom.com

[ usr_cert ]

# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always

nsCaRevocationUrl = https://www.ourdom.com/crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
#keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]

# Extensions for a typical CA

# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always

# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true

[ crl_ext ]

# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always

ourdom-req.conf

#
# generation of certificate requests.
#

[ req ]
default_bits        = 2048
distinguished_name    = req_distinguished_name
attributes        = req_attributes

string_mask = nombstr

[ req_distinguished_name ]

countryName_default        = RU
stateOrProvinceName_default    = Moscow
localityName_default        = Moscow
0.organizationName_default    = Our Dom Msk
name_default            = Our Dom
emailAddress_default        = postmaster@ourdom.com
#organizationalUnitName_default    = $ENV::KEY_OU
#commonName_default        = $ENV::KEY_CN

countryName            = Country Name (2 letter code)
countryName_min            = 2
countryName_max            = 2

stateOrProvinceName        = State or Province Name (full name)

localityName            = Locality Name (eg, city)

0.organizationName        = Organization Name (eg, company)

organizationalUnitName        = Organizational Unit Name (eg, section)
organizationalUnitName_min    = 2
organizationalUnitName_max    = 64

commonName            = Common Name (eg, your name or your server\'s hostname)
commonName_min            = 2
commonName_max            = 64

name                = Name
name_min            = 2
name_max            = 64

emailAddress            = Email Address
emailAddress_min        = 2
emailAddress_max        = 40

[ req_attributes ]

challengePassword        = A challenge password
unstructuredName        = An optional company name

auto-sign.sh

#!/bin/sh
#set -x
 
DIR="$1"
CN="$2"
CADIR="/etc/pki/ca"
KEYSIZE=2048
 
[ -z "$CN" -o -z "$DIR" ] && echo "usage: $0 key_dir key_name" && exit 1
[ ! -r "$CADIR/req.conf" -o ! -r "$CADIR/ca.conf" ] && echo "config not found" && exit 1
DIR=`readlink -f "$DIR"`
[ -z "$DIR" -o ! -d "$DIR" -o ! -w "$DIR" ] && echo "$DIR: key dir not found" && exit 1
 
cd "$DIR"
if [ -r "$CN.csr" ]; then
  echo -n "$CN.csr already exists. Do you want to use it [y/n] ? "
  read ans
  [ "$ans" != "y" ] && exit 1
else
  openssl genrsa -out "$CN.key" $KEYSIZE
  chmod 0600 "$CN.key"
  openssl req -new -key "$CN.key" -out "$CN.csr" -config "$CADIR/req.conf" || exit 1
  echo "request generated:"
fi
 
[ -x /usr/bin/less ] && reader=less || reader=more
(echo "== press <q> when done ==";
 openssl req -in "$CN.csr" -text | egrep -v '^[0-9a-zA-Z]') | $reader
echo "press <Enter> to continue or ^C to abort..."
read ans
 
cd "$CADIR"
openssl ca -batch -config "$CADIR/ca.conf" -in "$DIR/$CN.csr" -out "$DIR/$CN.crt" || exit 1
echo "request signed"
 
cd $DIR
openssl x509 -in "$CN.crt" -text > "$CN.txt.crt"
openssl x509 -in "$CN.txt.crt" -out "$CN.crt"
openssl x509 -inform PEM -outform DER -in "$CN.crt" -out "$CN.der"
openssl x509 -fingerprint -sha1 -noout -in "$CN.crt" > "$CN.fgp"