Copyright © 2004 Alexander Wintermans
I have yet to decide under which license this document can be redistributed.
Table of Contents
This document is intended as an instruction for creating your own certificate authority for signing certificates for use with all sorts of SSL connections (e.g. HTTPS, LDAPS). It is intended for small-scale work. It does not consider CRLs. The certificate authority may be used to sign any kind of certificate.
This document was made using the following (debian) packages.
| Package | Version |
|---|---|
| openssl | 0.9.7c-5 |
Create directory structure:
# mkdir /etc/certificateAuthority # cd /etc/certificateAuthority # mkdir certs # mkdir private # chmod 700 private # echo '01' > serial # touch index.txt
Edit /etc/ssl/openssl.cnf:
Change the following properties in the [CA_default] section:
dir = /etc/certificateAuthority
new_certs_dir = $dir/certs
copy_extensions = copy # Only copy requested
# extensions that are not
# defined in [usr_cert]
default_days = 1825 # certification lasts 5 years
policy = policy_anything
# Set display options
nameopt = ca_default
certopt = ca_default
Delete the following properties in the [CA_default] section:
certs = crl_dir = crl =
Change the following properties in the [req_distinguished_name] section as appropriate:
countryName_default = NL stateOrProvinceName_default = Noord Holland localityName_default = Amsterdam 0.organizationName_default = joe.org commonName_default = J. Bloggs emailAddress_default = ca.admin@joe.org
Change the following properties in the [v3_ca] section:
keyUsage = cRLSign, keyCertSign nsCertType = sslCA, emailCA, objCA
Create the certificate authority key:
# openssl genrsa -des3 -out private/cakey.pem 2048Remember the pass phrase! Better yet, since you won't be needing it often (key signing is probably not an every-day activity for you), write it down somewhere safe.
Create the certificate authority's (self-signed) certificate:
# openssl req -new -x509 -key private/cakey.pem -days 1825 -out cacert.pem -outform PEM # cp cacert.pem /etc/ssl/certs
Create a certificate request configuration template:
# cp /etc/ssl/openssl.cnf /etc/ssl/openssl_server_req.template
Remove the following sections:
[ca]
[CA_default]
[policy_match]
[policy_anything]
[usr_cert]
[v3_ca]
[crl_ext]
Change the following properties in the [v3_req] section:
nsCertType = server subjectAltName = @altdns
Change the following properties in the [req] section:
default_bits = 2048 default_keyfile = /etc/ssl/private/SERVER_ID_key.pem encrypt_key = no prompt = no # x509_extensions = v3_ca req_extensions = v3_req
Change the following properties in the [req_distinguished_name] section:
countryName = NL stateOrProvinceName = Noord Holland localityName = Amsterdam organizationName = joe.org commonName = SERVER_NAME emailAddress = SERVER_ID.admin@joe.org
Comment out the following properties in the [req_attributes] section:
# challengePassword = Not needed # unstructuredName =
Add a section [altdns] with the following properties:
DNS.1 = ALT_SERVER_NAME_1 DNS.2 = ALT_SERVER_NAME_2 DNS.3 = ALT_SERVER_NAME_3
This section demonstrates how to create a certificate for an SSL-enabled LDAP server.
Create a request configuration file:
# cp /etc/ssl/openssl_server_req.template /etc/ssl/ldap_req.cnf
Change the following property in the [req] section:
default_keyfile = /etc/ssl/private/ldap_key.pem
Change the following properties in the [req_distinguished_name] section:
commonName = ldap.intra.net emailAddress = ldap.admin@joe.org
Change the [altdns] section to add alternative names for the server (in case it has them):
DNS.1 = joesmachine.hisisp.net DNS.2 = server1.intra.net DNS.3 = ldap.joe.org DNS.4 = localhost IP.1 = 192.168.120.30 IP.2 = 163.61.64.62 IP.3 = 127.0.0.1
Generate the certificate request:
# cd # openssl req -config /etc/ssl/ldap_req.cnf -newkey rsa:2048 -out ldapreq.pem -outform PEM # chmod 400 /etc/ssl/private/ldap_key.pem