makewhatis

Random Linux Garble.

Setting Up a Simple Certificate Authority With OpenSSL

I’m studying for the RHCA exam 423, and one of my tasks is to setup TLS for Directory Server. I know RedHat like to follow standards, and am guessing that I will have to use a CA signed cert when setting this up. So in the name of doing things right, I’m going to setup a little CA that I can work with.

Setting up OpenSSL as a Certificate Authority

I set this CA up on Fedora 16, the official AMI on EC2.

Right out of the box OpenSSL is ready to act as a CA, so this was not that crazy. There is a perl script that does most of the heavy lifting for you.

The Prereqs

Install the CA.pl with the package openssl-perl

[root@ca ~] yum install openssl-perl

The Setup

First I looked to see what the default CA configuration was in the /etc/pki/tls/openssl.cnf.

[ CA_default ]  
dir = /etc/pki/CA # Where everything is kept  
certs = $dir/certs # Where the issued certs are kept  
crl_dir = $dir/crl # Where the issued crl are kept  
database = $dir/index.txt # database index file.  
#unique_subject = no # Set to 'no' to allow creation of  
new\_certs\_dir = $dir/newcerts # default place for new certs.  
certificate = $dir/cacert.pem # The CA certificate  
serial = $dir/serial # The current serial number  
crlnumber = $dir/crlnumber # the current crl number  
# must be commented out to leave a V1 CRL  
crl = $dir/crl.pem # The current CRL  
private_key = $dir/private/cakey.pem# The private key  
RANDFILE = $dir/private/.rand # private random number file  

x509_extensions = usr_cert # The extentions to add to the cert  

# Comment out the following two lines for the "traditional"  
# (and highly broken) format.  
name_opt = ca_default # Subject Name options  
cert_opt = ca_default # Certificate field options

So it looks like the default area for CA stuff is /etc/pki/CA. I saw a ton of guides out there doing things differently, but I find its generally nice to stay to the default the application maintainers steer you to, until you know why it should be different.

Looking in CA.pl I can see that they hard coded that path as well.

$SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"};  
$DAYS="-days 365"; # 1 year  
$CADAYS="-days 1095"; # 3 years  
$REQ="$openssl req $SSLEAY_CONFIG";  
$CA="$openssl ca $SSLEAY_CONFIG";  
$VERIFY="$openssl verify";  
$X509="$openssl x509";  
$PKCS12="$openssl pkcs12";  

$CATOP="/etc/pki/CA";  
$CAKEY="cakey.pem";  
$CAREQ="careq.pem";  
$CACERT="cacert.pem";  

$DIRMODE = 0777;  

$RET = ;

In that default directory there are already a few things that were created by default in Fedora, the script will create some directories of its own as well.

[root@ca ~] ls /etc/pki/CA/  
certs crl newcerts private

Change into the PKI directory that has the perl script, /etc/pki/tls/misc, and run the script

[root@ca ~] cd /etc/pki/tls/misc  
[root@ca misc] ./CA.pl -newca  
CA certificate filename (or enter to create)  

Making CA certificate ...  
Generating a 2048 bit RSA private key  
......................................   
...................................................................................................................................   
writing new private key to '/etc/pki/CA/private/cakey.pem'  
Enter PEM pass phrase:  
Verifying - Enter PEM pass phrase:  
\---|--  
You are about to be asked to enter information that will be incorporated  
into your certificate request.  
What you are about to enter is what is called a Distinguished Name or a DN.  
There are quite a few fields but you can leave some blank  
For some fields there will be a default value,  
If you enter '.', the field will be left blank.  
\---|--  
Country Name (2 letter code) [XX]:US  
State or Province Name (full name) []:Arizona  
Locality Name (eg, city) [Default City]:Phoenix  
Organization Name (eg, company) [Default Company Ltd]:Makewhatis LLC  
Organizational Unit Name (eg, section) []:CA  
Common Name (eg, your name or your server's hostname) []:ca.makewhatis.com  
Email Address []:david@makewhatis.com  

Please enter the following 'extra' attributes  
to be sent with your certificate request  
A challenge password []:  
An optional company name []:  
Using configuration from /etc/pki/tls/openssl.cnf  
Enter pass phrase for /etc/pki/CA/private/cakey.pem:  
Check that the request matches the signature  
Signature ok  
Certificate Details:  
Serial Number:  
b8:24:1e:f0:87:a0:79:2a  
Validity  
Not Before: Apr 8 04:33:15 2012 GMT  
Not After : Apr 8 04:33:15 2015 GMT  
Subject:  
countryName = US  
stateOrProvinceName = Arizona  
organizationName = Makewhatis LLC  
organizationalUnitName = CA  
commonName = ca.makewhatis.com  
emailAddress = david@makewhatis.com  
X509v3 extensions:  
X509v3 Subject Key Identifier:  
AF:CE:10:A2:B9:EE:6F:1B:F9:67:B0:11:23:DD:C7:02:20:45:E6:1B  
X509v3 Authority Key Identifier:  
keyid:AF:CE:10:A2:B9:EE:6F:1B:F9:67:B0:11:23:DD:C7:02:20:45:E6:1B  

X509v3 Basic Constraints:  
CA:TRUE  
Certificate is to be certified until Apr 8 04:33:15 2015 GMT (1095 days)  

Write out database with 1 new entries  
Data Base Updated

The previous script kicks out cacert.pem and private/cakey.pem, which make up your root certificate/key pair.

This is looking good. Now we can actually do some signing!

Client generates their key

[root@ca ~]# openssl genrsa 1024 > www.example.com.key  
Generating RSA private key, 1024 bit long modulus  
................................   
........   
e is 65537 (0x10001)

Then they generate their CSR (Certificate Signing Request)

[root@ca ~] openssl req -new -key www.example.com.key -out www.example.com.csr  
You are about to be asked to enter information that will be incorporated  
into your certificate request.  
What you are about to enter is what is called a Distinguished Name or a DN.  
There are quite a few fields but you can leave some blank  
For some fields there will be a default value,  
If you enter '.', the field will be left blank.  
\---|--  
Country Name (2 letter code) [XX]:US  
State or Province Name (full name) []:Imagination Land  
Locality Name (eg, city) [Default City]:Up Top  
Organization Name (eg, company) [Default Company Ltd]:Make it So LLC  
Organizational Unit Name (eg, section) []:We dont  
Common Name (eg, your name or your server's hostname) []:www.example.com  
Email Address []:me@myownmind.ee  

Please enter the following 'extra' attributes  
to be sent with your certificate request  
A challenge password []:  
An optional company name []:

Make their certificate

Once the client has generated their CSR and sent it to us, we can actually sign a .crt file for them.

[root@ca ~]# openssl ca -policy policy_anything -out www.example.com.crt -infiles www.example.com.csr

So the client would need to make sure that they import the cacert into whatever application they are using this with. Again remember, this will throw errors if you try to just use it on the world wide webs, since your CA isn’t known by anything.

[root@ca ~] mkdir www.example.com.ssl  
[root@ca ~] cp www.example.com.crt www.example.com.ssl/  
[root@ca ~] cp /etc/pki/CA/cacert.crt www.example.com.ssl/makewhatis-ca.crt  
[root@ca ~] tar cvzf www.example.com.ssl.tar.gz www.example.com.ssl/

Now you can send that file over the the client computer, and they will have a nice signed cert.

(Of course update all this so you arent using my domain)