This page describes the creation of a Public Key Infrastructure (PKI)
using openssl.
This PKI consists of:
Contents:
A Certificate Authority (CA) issues and revokes digital certificates for use by other parties.
It shall be located on a separate, secure server.
To store certificates, a directory structure shall be created under /etc/ssl
:
/etc/ssl/openssl.cnf |
OpenSSL configuration |
/etc/ssl/CA/ |
Certifcate authority |
/etc/ssl/CA/index.txt |
Log file |
/etc/ssl/CA/serial |
Serial number |
/etc/ssl/CA/private/ |
private keys |
/etc/ssl/CA/private/cakey.key |
private key of the CA |
/etc/ssl/CA/certs |
issued certificates |
/etc/ssl/CA/newcerts |
new certificates |
The files index.txt
and serial
shall be created
and serial
shall contain the first serial nummer, 01
:
touch /etc/ssl/CA/index.txt
cat 01 > /etc/ssl/CA/serial
In accordance with with Apache, the following file extensions are used:
.crt |
certificate |
.key |
(private) key |
Openssl uses .pem
as file extension for both types of keys and distuingishes them by file name:
Apache | openssl |
---|---|
private/cakey.key |
private/cakey.pem |
cacert.crt |
cacert.pem |
The OpenSSL configuration file /etc/ssl/openssl.cnf
only needs some minor changes:
dir |
= /etc/ssl/CA |
# Where everything is kept |
[ req_distinguished_name ]
In this section, company name, location, etc. are pre-set.
Clients use this information to verify the authenticity of the certificate.
For authentication and encryption, certificates are used.
Certificates may be protected by a pass phrase.
If a pass phrase is used with a CA or server certificate,
it is required to enter that pass phrase upon reboot or service restart.
Of course there is the CA.pl
script to generate certificates,
but I prefer to know what I'm doing.
The base certificate of the certificate authority with a validity of ten years is created by:
cd /etc/ssl/CA
openssl req -new -x509 -keyout cakey.key -out cacert.crt -days 3650
A Common Name (e.g., Security Guy root certifcate
) is required,
an e-mail address is recommended.
Two files result from this command, ca.cert
and cakey.key
.
The private key file cakey.key
shall be moved to the private/
subdirectory.
Create the key for a server (e.g., web or VPN server):
openssl req -nodes -days 3650 -new -keyout server.key -out server.csr
openssl ca -days 3650 -out server.crt -in server.csr
rm server.csr
chmod 700 server.key
A Common Name is required, e.g. Security Guy web server
.
No pass phrase is assigned to the server key (option -nodes
).
Client certificates are used to authenticate qualified clients or users against a server.
For each user, a separate key is created.
A validity of one year is recommended for client certificates,
with a common expiry date for all users (e.g. February 1st).
The expiry date is calculated to always end on the same date,
just the year needs to be adapted.
The Common Name should be the name of the user.
cd /etc/ssl/CA
expire=`date +%s -d 'Feb 1 00:00:00 UTC 2008'`
days=$(echo $expire `date +%s` - 60 / 60 / 24 / p |dc)
user=wimmer
openssl req -nodes -days $days -new -keyout ${user}.key -out ${user}.csr
openssl ca -days $days -out ${user}.crt -in ${user}.csr
chmod 700 ${user}.key
rm ${user}.csr
mv ${user}.* /etc/ssl/CA/certs/
If a key is created with the name of an already existing key
(e.g. due to a an error in a previous attempt),
the corresponding entry in /etc/ssl/CA/index.txt
shall be removed,
otherwise the key creation will fail.
The following files need to be transferred to the client:
${user}.key
(e.g. wimmer.key
)${user}.crt
(e.g. wimmer.crt
)cacert.crt
(certificate of the CA)If a certificate is to be used with a web browser,
it needs to be converted to pk12 format:
openssl pkcs12 -export -in ${user}.crt -inkey ${user}.key -out ${user}.p12
The resulting .p12 file contains the client certificate to be imported into the browser.
Further reading: