diff options
Diffstat (limited to 'doc/howto.ca.docbook')
-rw-r--r-- | doc/howto.ca.docbook | 456 |
1 files changed, 456 insertions, 0 deletions
diff --git a/doc/howto.ca.docbook b/doc/howto.ca.docbook new file mode 100644 index 0000000..5d08e92 --- /dev/null +++ b/doc/howto.ca.docbook @@ -0,0 +1,456 @@ +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook V4.1//EN"> + +<article> + <articleinfo> + <title>HOWTO: Creating your own CA with OpenSSL</title> + + <author> + <firstname>Pheng Siong</firstname> + <surname>Ng</surname> + <affiliation> + <address><email>ngps@netmemetic.com</email></address> + </affiliation> + </author> + + <copyright> + <year>2000</year> + <year>2001</year> + <holder>Ng Pheng Siong.</holder> + </copyright> + + <revhistory> + <revision> + <revnumber>$Revision: 1.1 $</revnumber> + <date>$Date: 2003/06/22 16:41:18 $</date> + </revision> + </revhistory> + </articleinfo> + + <sect1 id="introduction"> + <title>Introduction</title> + <para>This is a HOWTO on creating your own <emphasis>certification + authority</emphasis> (<emphasis>CA</emphasis>) with OpenSSL. + </para> + + <para>I last created a CA about a year ago, when I began work on <ulink + url="http://www.post1.com/home/ngps/m2">M2Crypto</ulink> and needed + certificates for the SSL bits. I accepted the tools' default settings + then, e.g., certificate validity of 365 days; this meant that my + certificates, including my CA's certificate, have now expired. + </para> + + <para>Since I am using these certificates for M2Crypto's demonstration + programs (and I have forgotten the passphrase to the CA's private key), + I decided to discard the old CA and start afresh. I also decided to + document the process, hence this HOWTO. + </para> + </sect1> + + <sect1 id="procedure"> + <title>The Procedure</title> + <para>I use <filename>CA.pl</filename>, a Perl program written by + Steve Henson and bundled with OpenSSL. + </para> + + <para>The following are the steps to create a CA: + </para> + + <procedure> + <step> + <para>Choose a directory to do your CA work. All commands are executed + within this directory. Let's call the directory <filename>demo</filename>. + </para> + </step> + + <step> + <para>Copy <filename>CA.pl</filename> and <filename>openssl.cnf</filename> + into <filename>demo</filename>. + </para> + </step> + + <step> + <para>Apply the following patch to <filename>CA.pl</filename>, which + allows it to generate a CA certificate with a validity period of 1095 days, + i.e., 3 years: + </para> + + <programlisting> + --- CA.pl.org Sat Mar 31 12:40:13 2001 + +++ CA.pl Sat Mar 31 12:41:15 2001 + @@ -97,7 +97,7 @@ + } else { + print "Making CA certificate ...\n"; + system ("$REQ -new -x509 -keyout " . + - "${CATOP}/private/$CAKEY -out ${CATOP}/$CACERT $DAYS"); + + "${CATOP}/private/$CAKEY -out ${CATOP}/$CACERT -days 1095"); + $RET=$?; + } + } + </programlisting> + </step> + + <step> + <para>Create a new CA like this: + </para> + + <screen> + <userinput> +./CA.pl -newca + </userinput> + A certificate filename (or enter to create) <userinput><replaceable><enter></replaceable></userinput> + + Making CA certificate ... + Using configuration from openssl.cnf + Generating a 1024 bit RSA private key + ............++++++ + ......................++++++ + writing new private key to './demoCA/private/cakey.pem' + Enter PEM pass phrase: <userinput><replaceable><secret passphrase here></replaceable></userinput> + Verifying password - Enter PEM pass phrase: <userinput><replaceable><secret passphrase again></replaceable></userinput> + ----- + You are about to be asked to enter information that will be incorporated + into your certificate request. + What you are about to enter is what is called a Distinguished Name or a DN. + There are quite a few fields but you can leave some blank + For some fields there will be a default value, + If you enter '.', the field will be left blank. + ----- + Country Name (2 letter code) [AU]:<userinput><replaceable>SG</replaceable></userinput> + State or Province Name (full name) [Some-State]:<userinput><replaceable>.</replaceable></userinput> + Locality Name (eg, city) []:<userinput><replaceable>.</replaceable></userinput>. + Organization Name (eg, company) [Internet Widgits Pty Ltd]:<userinput><replaceable>DemoCA</replaceable></userinput> + Organizational Unit Name (eg, section) []:<userinput><replaceable>.</replaceable></userinput> + Common Name (eg, YOUR name) []:<userinput><replaceable>DemoCA Certificate Master</replaceable></userinput> + Email Address []:<userinput><replaceable>certmaster@democa.dom</replaceable></userinput> + </screen> + + <para>This creates a new CA in the directory <filename>demoCA</filename>. + The CA's self-signed certificate is in + <filename>demoCA/cacert.pem</filename> and its RSA key pair is in + <filename>demoCA/private/cakey.pem</filename>. + </para> + + <para><filename>demoCA/private/cakey.pem</filename> looks like this: + </para> + + <screen> + <userinput> +cat demoCA/private/cakey.pem + </userinput> + -----BEGIN RSA PRIVATE KEY----- + Proc-Type: 4,ENCRYPTED + DEK-Info: DES-EDE3-CBC,19973A9DBBB601BA + + eOq9WFScNiI4/UWEUaSnGTKpJv2JYuMD3HwQox2Q3Cd4zGqVjJ6gF3exa5126cKf + X/bMVnwbPpuFZPiAIvaLyCjT6pYeXTBbSzs7/GQnvEOv+nYnDUFWi0Qm92qLk0uy + pFi/M1aWheN3vir2ZlAw+DW0bOOZhj8tC7Co7lMYb0YE271b6/YRPZCwQ3GXAHUJ + +aMYxlUDrK45aCUa/1CZDzTgk7h9cDgx2QJSIvYMYytCfI3zsuZMJS8/4OXLL0bI + lKmAc1dwB3DqGJt5XK4WJesiNfdxeCNEgAcYtEAgYZTPIApU+kTgTCIxJl2nMW7j + ax+Q1z7g+4MpgG20WD633D4z4dTlDdz+dnLi0rvuvxiwt+dUhrqiML1tyi+Z6EBH + jU4/cLBWev3rYfrlp4x8J9mDte0YKOk3t0wQOHqRetTsIfdtjnFp/Hu3qDmTCWjD + z/g7PPoO/bg/B877J9WBPbL/1hXXFYo88M+2aGlPOgDcFdiOqbLb2DCscohMbbVr + A4mgiy2kwWfIE73qiyV7yyG8FlRvr1iib+jbT3LTGf743utYAAs7HNGuOUObhoyt + jYvBD7ACn35P5YX7KTqvqErwdijxYCaNBCnvmRtmYSaNw9Kv1UJTxc5Vx7YLwIPk + E9KyBgKI7vPOjWBZ27+zOvNycmv1ciNtpALAw4bWtXnhCDVTHaVDy34OkheMzNCg + 2cjcBFzOkMIjcI03KbTQXOFIQGlsTWXGzkNf/zBQ+KksT1MCj+zBXSCvlDASMckg + kef21pGgUqPF14gKGfWX3sV4bjc1vbrRwq6zlG3nMuYqR5MtJJY9eQ== + -----END RSA PRIVATE KEY----- + </screen> + </step> + + <step> + <para>Next, generate a certificate request. + </para> + + <screen> + <userinput> +./CA.pl -newreq + </userinput> + Using configuration from openssl.cnf + Generating a 1024 bit RSA private key + ..........++++++ + ..............++++++ + writing new private key to 'newreq.pem' + Enter PEM pass phrase: <userinput><replaceable><another secret passphrase here></replaceable></userinput> + Verifying password - Enter PEM pass phrase: <userinput><replaceable><another secret passphrase again></replaceable></userinput> + ----- + You are about to be asked to enter information that will be incorporated + into your certificate request. + What you are about to enter is what is called a Distinguished Name or a DN. + There are quite a few fields but you can leave some blank + For some fields there will be a default value, + If you enter '.', the field will be left blank. + ----- + Country Name (2 letter code) [AU]:<userinput><replaceable>SG</replaceable></userinput> + State or Province Name (full name) [Some-State]:.<userinput><replaceable>.</replaceable></userinput> + Locality Name (eg, city) []:<userinput><replaceable>.</replaceable></userinput> + Organization Name (eg, company) [Internet Widgits Pty Ltd]:<userinput><replaceable>M2Crypto</replaceable></userinput> + Organizational Unit Name (eg, section) []:<userinput><replaceable>.</replaceable></userinput> + Common Name (eg, YOUR name) []:<userinput><replaceable>localhost</replaceable></userinput> + Email Address []:<userinput><replaceable>admin@server.example.dom</replaceable></userinput> + + Please enter the following 'extra' attributes + to be sent with your certificate request + A challenge password []:<userinput><replaceable><enter></replaceable></userinput> + An optional company name []:<userinput><replaceable><enter></replaceable></userinput> + Request (and private key) is in newreq.pem + </screen> + + <para>The certificate request and private key in <filename>newreq.pem</filename> looks like this: + </para> + + <screen> + <userinput> +cat newreq.pem + </userinput> + -----BEGIN RSA PRIVATE KEY----- + Proc-Type: 4,ENCRYPTED + DEK-Info: DES-EDE3-CBC,41B2874DF3D02DD4 + + mg611EoVkLEooSTv+qTM0Ddmm/M1jE/Jy5RD/sc3LSMhuGu9xc26OgsTJmkQuIAh + J/B4lAw8G59VTG6DykeEtrG0rUBx4bggc7PKbFuiN423YjJODWcHvVgnPOzXMQt+ + lY4tPl5+217MRHyx2NsWGrpkQNdu3GeSPOVMl3jeQiaXupONbwQ7rj42+X/VtAJP + W4D1NNwu8aGCPyShsEXHc/fI1WDpphYWke97pOjIZVQESFZOPty5HjIYZux4U+td + W81xODtq2ecJXc8fn2Wpa9y5VD1LT7oJksOuL1+Z04OVaeUe4x0swM17HlBm2kVt + fe/C/L6kN27MwZhE331VjtTjSGl4/gknqQDbLOtqT06f3OISsDJETm2itllyhgzv + C6Fi3N03rGFmKectijC+tws5k+P+HRG6sai33usk8xPokJqA+HYSWPz1XVlpRmv4 + kdjQOdST7ovU62mOTgf3ARcduPPwuzTfxOlYONe5NioO1APVHBrInQwcpLkpOTQR + vI4roIN+b75/nihUWGUJn/nbbBa2Yl0N5Gs1Tyiy9Z+CcRT2TfWKBBFlEUIFl7Mb + J9fTV3DI+k+akbR4il1NkQ8EcSmCr3WpA0I9n0EHI7ZVpVaHxc0sqaPFl8YGdFHq + 1Qk53C/w6+qPpDzT3yKFmG2LZytAAM1czvb6RbNRJJP2ZrpBwn/h99sUTo/yPfxY + nueYmFJDm0uVNtG0icXGNUfSfnjKNTtHPAgyKGetRIC3kgJz/bo2w7EI6iEjBAzK + l5TRm4x6ZJxwuXXMiJCehMMd8TC8ybwWO4AO19B3ebFFeTVsUgxSGA== + -----END RSA PRIVATE KEY----- + -----BEGIN CERTIFICATE REQUEST----- + MIIBnTCCAQYCAQAwXTELMAkGA1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRIw + EAYDVQQDEwlsb2NhbGhvc3QxJzAlBgkqhkiG9w0BCQEWGGFkbWluQHNlcnZlci5l + eGFtcGxlLmRvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAr1nYY1Qrll1r + uB/FqlCRrr5nvupdIN+3wF7q915tvEQoc74bnu6b8IbbGRMhzdzmvQ4SzFfVEAuM + MuTHeybPq5th7YDrTNizKKxOBnqE2KYuX9X22A1Kh49soJJFg6kPb9MUgiZBiMlv + tb7K3CHfgw5WagWnLl8Lb+ccvKZZl+8CAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GB + AHpoRp5YS55CZpy+wdigQEwjL/wSluvo+WjtpvP0YoBMJu4VMKeZi405R7o8oEwi + PdlrrliKNknFmHKIaCKTLRcU59ScA6ADEIWUzqmUzP5Cs6jrSRo3NKfg1bd09D1K + 9rsQkRc9Urv9mRBIsredGnYECNeRaK5R1yzpOowninXC + -----END CERTIFICATE REQUEST----- + </screen> + + <para>Decoding the certificate request gives the following: + </para> + + <screen> + <userinput> +openssl req -text -noout < newreq.pem + </userinput> + Using configuration from /usr/local/pkg/openssl/openssl.cnf + Certificate Request: + Data: + Version: 0 (0x0) + Subject: C=SG, O=M2Crypto, CN=localhost/Email=admin@server.example.dom + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (1024 bit) + Modulus (1024 bit): + 00:af:59:d8:63:54:2b:96:5d:6b:b8:1f:c5:aa:50: + 91:ae:be:67:be:ea:5d:20:df:b7:c0:5e:ea:f7:5e: + 6d:bc:44:28:73:be:1b:9e:ee:9b:f0:86:db:19:13: + 21:cd:dc:e6:bd:0e:12:cc:57:d5:10:0b:8c:32:e4: + c7:7b:26:cf:ab:9b:61:ed:80:eb:4c:d8:b3:28:ac: + 4e:06:7a:84:d8:a6:2e:5f:d5:f6:d8:0d:4a:87:8f: + 6c:a0:92:45:83:a9:0f:6f:d3:14:82:26:41:88:c9: + 6f:b5:be:ca:dc:21:df:83:0e:56:6a:05:a7:2e:5f: + 0b:6f:e7:1c:bc:a6:59:97:ef + Exponent: 65537 (0x10001) + Attributes: + a0:00 + Signature Algorithm: md5WithRSAEncryption + 7a:68:46:9e:58:4b:9e:42:66:9c:be:c1:d8:a0:40:4c:23:2f: + fc:12:96:eb:e8:f9:68:ed:a6:f3:f4:62:80:4c:26:ee:15:30: + a7:99:8b:8d:39:47:ba:3c:a0:4c:22:3d:d9:6b:ae:58:8a:36: + 49:c5:98:72:88:68:22:93:2d:17:14:e7:d4:9c:03:a0:03:10: + 85:94:ce:a9:94:cc:fe:42:b3:a8:eb:49:1a:37:34:a7:e0:d5: + b7:74:f4:3d:4a:f6:bb:10:91:17:3d:52:bb:fd:99:10:48:b2: + b7:9d:1a:76:04:08:d7:91:68:ae:51:d7:2c:e9:3a:8c:27:8a: + 75:c2 + </screen> + </step> + + <step> + <para>Now, sign the certificate request: + </para> + + <screen> + <userinput> +./CA.pl -sign + </userinput> + Using configuration from openssl.cnf + Enter PEM pass phrase: <userinput><replaceable><CA's passphrase></replaceable></userinput> + Check that the request matches the signature + Signature ok + The Subjects Distinguished Name is as follows + countryName :PRINTABLE:'SG' + organizationName :PRINTABLE:'M2Crypto' + commonName :PRINTABLE:'localhost' + emailAddress :IA5STRING:'admin@server.example.dom' + Certificate is to be certified until Mar 31 02:57:30 2002 GMT (365 days) + Sign the certificate? [y/n]:<userinput><replaceable>y</replaceable></userinput> + + + 1 out of 1 certificate requests certified, commit? [y/n]<userinput><replaceable>y</replaceable></userinput> + Write out database with 1 new entries + Data Base Updated + Signed certificate is in newcert.pem + </screen> + + <para><filename>newcert.pem</filename> looks like this: + </para> + + <screen> + <userinput> +cat newcert.pem + </userinput> + Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: md5WithRSAEncryption + Issuer: C=SG, O=DemoCA, CN=DemoCA Certificate Master/Email=certmaster@democa.dom + Validity + Not Before: Mar 31 02:57:30 2001 GMT + Not After : Mar 31 02:57:30 2002 GMT + Subject: C=SG, O=M2Crypto, CN=localhost/Email=admin@server.example.dom + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (1024 bit) + Modulus (1024 bit): + 00:af:59:d8:63:54:2b:96:5d:6b:b8:1f:c5:aa:50: + 91:ae:be:67:be:ea:5d:20:df:b7:c0:5e:ea:f7:5e: + 6d:bc:44:28:73:be:1b:9e:ee:9b:f0:86:db:19:13: + 21:cd:dc:e6:bd:0e:12:cc:57:d5:10:0b:8c:32:e4: + c7:7b:26:cf:ab:9b:61:ed:80:eb:4c:d8:b3:28:ac: + 4e:06:7a:84:d8:a6:2e:5f:d5:f6:d8:0d:4a:87:8f: + 6c:a0:92:45:83:a9:0f:6f:d3:14:82:26:41:88:c9: + 6f:b5:be:ca:dc:21:df:83:0e:56:6a:05:a7:2e:5f: + 0b:6f:e7:1c:bc:a6:59:97:ef + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: md5WithRSAEncryption + Issuer: C=SG, O=DemoCA, CN=DemoCA Certificate Master/Email=certmaster@democa.dom + Validity + Not Before: Mar 31 02:57:30 2001 GMT + Not After : Mar 31 02:57:30 2002 GMT + Subject: C=SG, O=M2Crypto, CN=localhost/Email=admin@server.example.dom + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (1024 bit) + Modulus (1024 bit): + 00:af:59:d8:63:54:2b:96:5d:6b:b8:1f:c5:aa:50: + 91:ae:be:67:be:ea:5d:20:df:b7:c0:5e:ea:f7:5e: + 6d:bc:44:28:73:be:1b:9e:ee:9b:f0:86:db:19:13: + 21:cd:dc:e6:bd:0e:12:cc:57:d5:10:0b:8c:32:e4: + c7:7b:26:cf:ab:9b:61:ed:80:eb:4c:d8:b3:28:ac: + 4e:06:7a:84:d8:a6:2e:5f:d5:f6:d8:0d:4a:87:8f: + 6c:a0:92:45:83:a9:0f:6f:d3:14:82:26:41:88:c9: + 6f:b5:be:ca:dc:21:df:83:0e:56:6a:05:a7:2e:5f: + 0b:6f:e7:1c:bc:a6:59:97:ef + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + B3:D6:89:88:2F:B1:15:40:EC:0A:C0:30:35:3A:B7:DA:72:73:1B:4D + X509v3 Authority Key Identifier: + keyid:F9:6A:A6:34:97:6B:BC:BB:5A:17:0D:19:FC:62:21:0B:00:B5:0E:29 + DirName:/C=SG/O=DemoCA/CN=DemoCA Certificate Master/Email=certmaster@democa.dom + serial:00 + + Signature Algorithm: md5WithRSAEncryption + </screen> + </step> + + <step> + <para>In certain situations, e.g., where your certificate and + private key are to be used in an unattended SSL server, you may wish to + not encrypt the private key, i.e., leave the key in the clear. This + decision should be governed by your site's security policy and threat + model, of course. + </para> + + <screen> + <userinput> +openssl rsa < newreq.pem > newkey.pem + </userinput> + read RSA key + Enter PEM pass phrase:<userinput><replaceable><secret passphrase here></replaceable></userinput> + writing RSA key + </screen> + + <para><filename>newkey.pem</filename> looks like this: + </para> + + <screen> + <userinput> +cat newkey.pem + </userinput> + -----BEGIN RSA PRIVATE KEY----- + MIICXgIBAAKBgQCvWdhjVCuWXWu4H8WqUJGuvme+6l0g37fAXur3Xm28RChzvhue + 7pvwhtsZEyHN3Oa9DhLMV9UQC4wy5Md7Js+rm2HtgOtM2LMorE4GeoTYpi5f1fbY + DUqHj2ygkkWDqQ9v0xSCJkGIyW+1vsrcId+DDlZqBacuXwtv5xy8plmX7wIDAQAB + AoGAbAkU8w3W1Qu15Hle1bJSL7GMReoreqeblOBmMAZz4by0l6sXZXJpjWXo86f/ + +dASMYTMPC4ZTYtv06N07AFbjL+kDfqDMTfzQkYMHp1LAq1Ihbq1rHWSBH5n3ekq + KiY8JKpv8DR5Po1iKaXJFuDByGDENJwYbSRSpSK3P+vkWWECQQDkEUE/ZPqqqZkQ + 2iWRPAsCbEID8SAraQl3DdCLYs/GgARfmmj4yUHEwkys9Jo1H8k4BdxugmaUwNi5 + YQ/CVzrXAkEAxNO80ArbGxPUmr11GHG/bGBYj1DUBkHZSc7dgxZdtUCLGNxQnNsg + Iwq3n6j1sUzS3UW6abQ8bivYNOUcMKJAqQJBANQxFaLU4b/NQaODQ3aoBZpAfP9L + 5eFdvbet+7zjt2r5CpikgkwOfAmDuXEltx/8LevY0CllW+nErx9zJgVrwUsCQQCu + 76H5JiznPBDSF2FjgHWqVVdgyW4owY3mU739LHvNBLicN/RN9VPy0Suy8/CqzKT9 + lWPBXzf2k3FuUdNkRlFBAkEAmpXoybuiFR2S5Bma/ax96lVs0/VihhfC1zZP/X/F + Br77+h9dIul+2DnyOl50zu0Sdzst1/7ay4JSDHyiBCMGSQ== + -----END RSA PRIVATE KEY----- + </screen> + </step> + </procedure> + + <para>That's it! The certificate, <filename>newcert.pem</filename>, and + the private key - <filename>newreq.pem</filename> (encrypted) or + <filename>newkey.pem</filename> (unencrypted) - are now ready to be used. + You may wish to rename the files to more intuitive names. + </para> + + <para>You should also keep the CA's certificate <filename>demo/cacert.pem + </filename> handy for use when developing and deploying SSL or S/MIME + applications. + </para> + </sect1> + + <sect1 id="conclusion"> + <title>Conclusion</title> + + <para>We've walked through the basic steps in the creation of a CA and + certificates using the tools that come with OpenSSL. We did not cover more + advanced topics such as constraining a certificate to be SSL-only or + S/MIME-only. + </para> + + <para>There exist several HOWTOs similar to this one on the net. This one + is written specifically to facilitate discussions in my other HOWTOs + on developing SSL and S/MIME applications in + <ulink url="http://www.python.org">Python</ulink> using + <ulink url="http://www.post1.com/home/ngps/m2">M2Crypto</ulink>. + </para> + </sect1> + + <sect1 id="id-kludge"> + <title></title> + <para> + <literal>$Id: howto.ca.docbook,v 1.1 2003/06/22 16:41:18 ngps Exp $</literal> + </para> + </sect1> +</article> + |