Respect My (Certificate) Authority!

Now that we've got our environment set up, it's time to create the CA and issue some keys. Since OpenSSL is so complex, it works a little bit differently than the usual *NIX commands. Most notably, it has a handful of sub-commands (the first argument) that handle the details. \

To create a new key pair, first we create a "certificate request" (sub-command "req"). The certificate request is then sent off to be signed by the CA and becomes a bonafide public key. Creating the CA key pair starts off the same way we'd create a regular key pair, using the command below.

For most of the responses, you just hit the Enter key to accept the defaults we set up in the config file. Make sure to use a strong password for the CA key; it's the only thing standing between the hacker and your CA key if it's ever compromised.

~/CA $ openssl req -new -keyout private/cakey.pem -out careq.pem \
-config ./openssl.cnf
Generating a 2048 bit RSA private key
..........................................+++
...+++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase: pA55w0rD
Verifying - Enter PEM pass phrase: pA55w0rD
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [The Great State You Live In]:
Locality Name (eg, city) [My Town USA]:
Organization Name (eg, company) [SmallNetBuilder]:
Organizational Unit Name (eg, section) [Security Division]:
Common Name (eg, YOUR name) []:CA
Email Address []:you@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Next, we need to "self-sign" the certificate to turn it into a CA.

~/CA $ openssl ca -create_serial -out cacert.pem -keyfile private/cakey.pem \
-selfsign -extensions v3_ca -config ./openssl.cnf -in careq.pem
Using configuration from ./openssl.cnf
Enter pass phrase for private/cakey.pem: pA55w0rD
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            f2:c8:4a:d0:f5:09:28:b7
        Validity
            Not Before: Oct 24 03:17:49 2007 GMT
            Not After : Oct 23 03:17:49 2008 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = The Great State You Live In
            organizationName          = SmallNetBuilder
            organizationalUnitName    = Security Division
            commonName                = CA
            emailAddress              = you@example.com
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                D0:1E:BF:7B:A8:26:B9:98:B0:81:98:2E:E7:96:CA:57:3D:76:F3:02
            X509v3 Authority Key Identifier:
                keyid:D0:1E:BF:7B:A8:26:B9:98:B0:81:98:2E:E7:96:CA:57:3D:76:F3:02
                DirName:/C=US/ST=The Great State You Live In/O ...
                serial:F2:C8:4A:D0:F5:09:28:B7

            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Oct 23 03:17:49 2008 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

(Note that the DirName: line above was truncated [...] because it was too wide for most browser screens!)

In the command above, "-create_serial" (new in recent versions of OpenSSL) creates a hex serial number for this key. "-extensions" specifies the section of the openssl.cnf config file to look in for specific extensions to append to the newly created certificate (public key). In this case, we're using the v3_ca section which, among other things, contains this setting on line 234:

basicConstraints = CA:true

This allows the key to be used to sign other keys, acting as the CA.

The last step is to create a copy of the CA certificate encoded in the DER format, because Windows likes only binary encoded certificates.

~/CA $ openssl x509 -inform PEM -outform DER -in cacert.pem -out cacert.der