The steps to generate a CA (Certificate Authority) with OpenSSL, using the RSA algorithm, with passphrase protection, along with detailed explanations of each step and its options:
Generate CA
Creating ca.cnf
First, we need create a config file ca.cnf
to include the information about CA. The ca.cnf
file looks like:
|
|
The [req]
section is used to specify the default settings for certificate requests (req), and includes the following options:
default_bits
: the default number of bits used for the RSA key pair generated by the command.default_md
: the default message digest algorithm used to sign the certificate.default_keyfile
: the default key file name for the private key used to sign the certificate.distinguished_name
: the distinguished name (DN) to use for certificate requests (i.e., the name of the entity you are requesting the certificate for).x509_extensions
: the name of the extensions section that will be used for X.509 certificates.prompt
: whether to prompt the user for input during the certificate generation process.
The [req_distinguished_name]
section is used to specify the DN to use for the certificate. This section includes options for various components of the DN, such as country name, state or province name, locality name, organization name, and common name.
The [v3_ca]
section is used to specify the extensions to include in the X.509 certificate. This section includes options for various extensions, such as the subject key identifier, the authority key identifier, and the basic constraints. In this example, the X.509 certificate is specified as a CA certificate (i.e., it can sign other certificates) with the basic constraints option set to "CA:true".
Creating ca.key
and ca.crt
Enter the following command to create a self-signed Certificate Authority (CA) with a private key:
|
|
This command uses the req
subcommand of the OpenSSL tool to generate a self-signed x509 certificate for the Certificate Authority with 3650 days validity.
-
The
req
subcommand specifies that we are generating a certificate signing request. -
The
-new
option specifies that we want to generate a new certificate rather than renewing an existing one. -
The
-x509
option specifies that a new Certificate Authority certificate should be created rather than a certificate signing request (CSR). -
The
-sha256
option specifies that SHA256 should be used as the message digest for the certificate. -
The
-days 3650
option specifies the validity period for the certificate (in this case, 10 years) -
The
-config ca.cnf
option specifies the configuration file to use. This file provides additional details about the Certificate Authority, such as its name, location, and other settings. -
The
-keyout ca.key
option specifies the output file for the private key of the CA. -
The
-out ca.crt
option specifies the output file for the CA certificate. Once the command is executed, an X.509 self-signed certificate for the Certificate Authority will be generated, and the private key for the CA will be stored in theca.key
file with the CA certificate stored in theca.crt
file. -
The command is also equavilant to:
1 2 3 4 5
# generates an AES-256 encrypted RSA private key with a key length of 4096 bits openssl genrsa -aes256 -out ca.key 4096 # create a self-signed root CA certificate using the private key openssl req -x509 -new -sha256 -days 3650 \ -config ca.cnf -key ca.key -out ca.crt
You can use the following command to view the certificate contents:
|
|
This command displays the contents of the CA certificate in human-readable form. Verify that the information in the certificate looks correct.
save CA as P12
Following command convert a CA (Certificate Authority) certificate to a P12 format:
|
|
In this command, ca.p12
is the name of the output file that will contain the converted P12 certificate. ca.key
is the private key file that corresponds to the CA certificate. And ca.crt
is the original CA certificate file in PEM format. You will then be prompted to set a password for the P12 file.
In Surge, P12 is convert to text using base64:
|
|
you can recover it to p12
as following:
echo "BASE64-ENCODED-TEXT" | base64 -d > ca.p12
Convert P12 to CA
you can recover ca.p12
to ca.key
and ca.crt
using following command:
|
|
The first command extracts the encrypted private key from the PKCS12 file and saves it to ca.key
. The -nocerts
option tells OpenSSL to exclude the certificate from the output. During the command execution, OpenSSL will prompt you to enter the password that was used to encrypt the private key.
The second command extracts the certificate from the PKCS12 file and saves it to ca.crt
. The -nokeys
option tells OpenSSL to exclude the private key from the output.
Generate and sign certificate with CA
Now that you have a CA certificate, you can use it to sign other certificates. To demonstrate, we'll create a new server certificate and sign it using our CA certificate.
Creating server.san
First, we need create a config file server.san
with a Subject Alternative Name (SAN) extension to include the information about your server, such as its Common Name (CN), Organization, and Location.
The server.san
file may look like:
|
|
The [v3_req]
section is used to specify the default extensions for X.509 certificate requests. In this case, it includes the following options:
basicConstraints
: This option specifies whether or not the certificate is a certificate authority (CA). The valueCA:FALSE
indicates that the certificate is not a CA.keyUsage
: This option specifies the allowed usages of the certificate. In this case, it indicates that the certificate can be used for digital signatures and key encipherment.subjectAltName
: This option specifies the subject alternative name (SAN) extension for the certificate. The value@alt_names
refers to a new section that lists the alternative names that should be included in the SAN.
The [alt_names]
section specifies the alternative names to include in the SAN extension. In this case, it lists two domains:
DNS.1
: This specifies the primary domain name to include, which isexample.com
.DNS.2
: This specifies an additional domain name to include, which iswww.example.com
.
When creating an X.509 certificate with these options and values, the resulting certificate will include the specified SAN extension with the two domain names listed.
Creating server.key
and server.csr
Enter the following command to create a private key and certificate signing request (CSR) for a server with the subject alternative name (SAN) specified:
|
|
This command generates a new RSA private key of 2048 bits and a Certificate Signing Request (CSR) for a server with the subject alternative name (SAN) specified in the configuration file server.san
. The private key is saved in the server.key
file, and the CSR is saved in the server.csr
file.
-
newkey rsa:2048
option specifies that a new RSA key pair will be generated with a key size of 2048 bits. -
nodes
option specifies that the private key should not be encrypted with a passphrase. -
The command is also equavilant to:
1 2 3
openssl genrsa -out server.key 2048 openssl req -new -config server.san \ -key server.key -out server.csr
Creating server.crt
Now that we have a CSR, we can sign it with our CA certificate. Enter the following command:
|
|
This command signs the CSR using our CA certificate (ca.crt
) and private key (ca.key
).
-req
specifies that the input file is a Certificate Signing Request (CSR).-days 365
specifies the validity period for the signed certificate (in this case, 1 year).-CA ca.crt
specifies the CA certificate to use for signing.-CAkey ca.key
specifies the private key of the CA.-CAcreateserial
specifies that a new serial number file should be created for the signed certificate.-in server.csr
option specifies the input file to be signed.-out server.crt
specifies the output file name for the signed certificate.
Review the signed server certificate you just created. You can use the following command to view the certificate contents:
|
|
This command displays the contents of the signed server certificate, including the information from your CSR, and the signature from the CA certificate.
That's it! You now have a CA, a CA certificate, and a signed server certificate. Keep the CA and CA certificate safe and secure, as they will be required to sign other certificates.
Summary
In summary, the step to Creating CA and Signing Certificates is following:
-
Create two files
ca.cnf
andserver.san
which include configuration of CA and server's information. -
Creating
ca.key
andca.crt
1 2
openssl req -x509 -new -sha256 -days 3650 \ -config ca.cnf -keyout ca.key -out ca.crt
view the certificate contents with
1
openssl x509 -in ca.crt -noout -text
-
Convert between ca and p12
1 2 3 4 5
# convert to p12 openssl pkcs12 -export -out ca.p12 -inkey ca.key -in ca.crt # convert from p12 openssl pkcs12 -in ca.p12 -out ca.key -nocerts openssl pkcs12 -in ca.p12 -out ca.crt -nokeys
Convert between p12 and text
1 2 3 4
# convert p12 to text base64 -i ca.p12 # convert text to p12 echo "BASE64-ENCODED-TEXT" | base64 -d > ca.p12
-
Create
server.key
andserver.csr
1 2
openssl req -new -newkey rsa:2048 -nodes \ -config server.san -keyout server.key -out server.csr
-
Create
server.crt
1 2 3 4
openssl x509 -req -days 365 \ -CA ca.crt -CAkey ca.key -CAcreateserial \ -in server.csr -out server.crt \ -extensions v3_req -extfile server.san
View
server.crt
1
openssl x509 -in server.crt -noout -text