OK, this is a bit involved. Playing around with OpenSSL to create a three level set of CA certificates which involve a Root, intermediary and issuing certificates.
What I did was the following to establish the Root CA config:
Code:
mkdir ~/CA
mkdir ~/CA/root
cd ~/CA/root
cp /usr/lib/ssl/openssl.cnf .
mkdir certs crl newcerts private
touch index.txt
echo "01" > serial
Edit the following values in openssl.cnf:
Code:
HOME = $ENV::HOME
dir = $HOME/CA/root
default_days = 3650
default_bits = 4096
The rest of these should be what your default info for certs are:
Code:
countryName_default
stateOrProvinceName_default
localityName_default
0.organizationName_default
organizationalUnitName_default
Here is what I did to make the Intermediary and Issuing CA config:
Code:
mkdir ~/CA/inter
mkdir ~/CA/issue
cp -R ~/CA/root/* ~/CA/inter/
cp -R ~/CA/root/* ~/CA/issue/
Edit the ~/CA/inter/openssl.cnf file as follows:
Code:
dir = $HOME/CA/inter
default_days = 1825
Edit the ~/CA/issue/openssl.cnf file as follows:
Code:
dir = $HOME/CA/issue
default_days = 730
default_bits = 2048
Now to establish the Root, intermediary and issuing certificates.
The Root CA cert:
Code:
cd ~/CA/root
openssl genrsa -des3 -out private/cakey.pem 4096
openssl req -config openssl.cnf -new -x509 -nodes -sha1 -days 1825 -key private/cakey.pem -out cacert.pem
Intermediary cert:
Code:
cd ~/CA/inter/
openssl genrsa -des3 -out private/cakey.pem 4096
openssl req -config openssl.cnf -new -sha1 -key private/cakey.pem -out inter.csr
cp inter.csr ~/CA/root/
cd ../root/
openssl ca -config openssl.cnf -extensions v3_ca -days 3650 -out inter.cer -in inter.csr
cp inter.* ~/CA/inter/cacert.pem
Issuing cert:
Code:
cd ~/CA/issue/
openssl genrsa -out private/cakey.pem 2048 -nodes
openssl req -config openssl.cnf -new -sha1 -key private/cakey.pem -out issue.csr
cp issue.csr ~/CA/inter/
cd ~/CA/inter/
openssl ca -config openssl.cnf -extensions v3_ca -days 3650 -out issue.cer -in issue.csr
cp issue.cer ~/CA/issue/cacert.pem
Once you have done this you have everything you need to sign your own certificates.
Just copy the CSR you want to sign into the ~/CA/issue directory and run the command:
Code:
openssl ca -config openssl.cnf -days 730 -out YourCert.cer -in YourCert.csr
Where YourCert.csr is the name of the CSR you just generated.
Bookmarks