This will server as a portable certificate authority for https clients and servers. DO NOT USE THESE IN PRODUCTION CODE
mkdir root-ca
cd root-ca
mkdir certs db private
touch db/index
openssl rand -hex 16 > db/serial
echo 1001 > db/crlnumberCertificate storage; new certificates will be placed here as they are issued.
This directory is used for the certificate database (index) and the files that hold the next certificate and CRL serial numbers. OpenSSL will create some additional files as needed.
This directory will store the private keys, one for the CA and the other for the OCSP responder. It’s important that no other user has access to it.
NOTE: When creating a new CA certificate, it’s important to initialize the certificate serial numbers with a random number generator, as I do in this section.
We take two steps to create the root CA. First, we generate the key and the CSR.
cd root-ca
openssl req -new \
-config root-ca.conf \
-out root-ca.csr \
-keyout private/root-ca.keyIn the second step, we create a self-signed certificate.
cd root-ca
openssl ca -selfsign \
-config root-ca.conf \
-in root-ca.csr \
-out root-ca.crt \
-extensions ca_extTo generate a CRL from the new CA, use the -gencrl switch of the ca command:
openssl ca -gencrl \
-config root-ca.conf \
-out root-ca.crlTo issue a certificate, invoke the ca command with the desired parameters.
openssl ca \
-config root-ca.conf \
-in sub-ca.csr \
-out sub-ca.crt \
-extensions sub_ca_extTo revoke a certificate, use the -revoke switch of the ca command.
openssl ca \
-config root-ca.conf \
-revoke certs/1002.pem \
-crl_reason keyCompromiseFirst, we create a key and CSR for the OCSP responder. These two operations are done as for any non-CA certificate, which is why we don’t specify a configuration file:
openssl req -new \
-newkey rsa:2048 \
-subj "/C=US/O=Portland State University/CN=OCSP Root Responder" \
-keyout private/root-ocsp.key \
-out root-ocsp.csrSecond, use the root CA to issue a certificate.
openssl ca \
-config root-ca.conf \
-in root-ocsp.csr \
-out root-ocsp.crt \
-extensions ocsp_ext \
-days 30For testing, you can do it from the same machine on which the root CA resides. However, for production you must move the OCSP responder key and certificate elsewhere:
openssl ocsp \
-port 9080
-index db/index \
-rsigner root-ocsp.crt \
-rkey private/root-ocsp.key \
-CA root-ca.crt \
-textYou can test the operation of the OCSP responder using the following command line:
openssl ocsp \
-issuer root-ca.crt \
-CAfile root-ca.crt \
-cert root-ocsp.crt \
-url http://127.0.0.1:9080In the output, verify OK means that the signatures were correctly verified, and good means that the certificate hasn’t been revoked.
To generate a configuration file for the subordinate CA, start with the file we used for the root CA and make the changes listed here.
First, we generate the key and the CSR.
openssl req -new \
-config sub-ca.conf \
-out sub-ca.csr \
-keyout private/sub-ca.keyIn the second step, we get the root CA to issue a certificate.
openssl ca \
-config root-ca.conf \
-in sub-ca.csr \
-out sub-ca.crt \
-extensions sub_ca_extTo issue a server certificate, process a CSR while specifying server_ext in the -extensions switch:
openssl req -new \
-config sub-ca.conf \
-out server.csr \
-keyout private/server.keyopenssl ca \
-config sub-ca.conf \
-in server.csr \
-out server.crt \
-extensions server_extTo issue a client certificate, process a CSR while specifying client_ext in the -extensions switch:
openssl req -new \
-config sub-ca.conf \
-out client.csr \
-keyout private/client.keyopenssl ca \
-config sub-ca.conf \
-in client.csr \
-out client.crt \
-extensions client_ext- Example Setup To expidite the CA, Server, adn client generation run the bash script to generate the specified number of client certs:
cd root-ca
chmod u+x cert_gen.sh
./cert_gen.sh 10cd certs
openssl s_client -connect localhost:443 -state -debug -cert client1.crt -key client1.key