Cooper's Zone

Creating CA and Signing Certificates

 Tech  1811  9 分钟

The steps to generate a CA (Certificate Authority) with OpenSSL, using the RSA algorithm, with passphrase protection, along with detailed explanations of each step and its options:

Generate CA

Creating ca.cnf

First, we need create a config file ca.cnf to include the information about CA. The ca.cnf file looks like:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

[req]
default_bits           = 4096
default_md             = sha256
default_keyfile        = ca.key
distinguished_name     = req_distinguished_name
x509_extensions        = v3_ca
prompt                 = no

[req_distinguished_name]
countryName            = Country Name (2 letter code)
stateOrProvinceName    = State or Province Name (full name)
localityName           = Locality Name (eg, city)
0.organizationName     = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName             = Common Name (eg, fully qualified host name)
emailAddress           = Email Address

[v3_ca]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints       = CA:true

The [req] section is used to specify the default settings for certificate requests (req), and includes the following options:

  • default_bits: the default number of bits used for the RSA key pair generated by the command.
  • default_md: the default message digest algorithm used to sign the certificate.
  • default_keyfile: the default key file name for the private key used to sign the certificate.
  • distinguished_name: the distinguished name (DN) to use for certificate requests (i.e., the name of the entity you are requesting the certificate for).
  • x509_extensions: the name of the extensions section that will be used for X.509 certificates.
  • prompt: whether to prompt the user for input during the certificate generation process.

The [req_distinguished_name] section is used to specify the DN to use for the certificate. This section includes options for various components of the DN, such as country name, state or province name, locality name, organization name, and common name.

The [v3_ca] section is used to specify the extensions to include in the X.509 certificate. This section includes options for various extensions, such as the subject key identifier, the authority key identifier, and the basic constraints. In this example, the X.509 certificate is specified as a CA certificate (i.e., it can sign other certificates) with the basic constraints option set to "CA:true".

Creating ca.key and ca.crt

Enter the following command to create a self-signed Certificate Authority (CA) with a private key:

1
2

openssl req  -x509 -new -sha256 -days 3650 \
-config ca.cnf -keyout ca.key -out ca.crt

This command uses the req subcommand of the OpenSSL tool to generate a self-signed x509 certificate for the Certificate Authority with 3650 days validity.

  • The req subcommand specifies that we are generating a certificate signing request.

  • The -new option specifies that we want to generate a new certificate rather than renewing an existing one.

  • The -x509 option specifies that a new Certificate Authority certificate should be created rather than a certificate signing request (CSR).

  • The -sha256 option specifies that SHA256 should be used as the message digest for the certificate.

  • The -days 3650 option specifies the validity period for the certificate (in this case, 10 years)

  • The -config ca.cnf option specifies the configuration file to use. This file provides additional details about the Certificate Authority, such as its name, location, and other settings.

  • The -keyout ca.key option specifies the output file for the private key of the CA.

  • The -out ca.crt option specifies the output file for the CA certificate. Once the command is executed, an X.509 self-signed certificate for the Certificate Authority will be generated, and the private key for the CA will be stored in the ca.key file with the CA certificate stored in the ca.crt file.

  • The command is also equavilant to:

    1
2
3
4
5

    # generates an AES-256 encrypted RSA private key with a key length of 4096 bits
openssl genrsa -aes256 -out ca.key 4096
# create a self-signed root CA certificate using the private key
openssl req -x509 -new -sha256 -days 3650 \
-config ca.cnf -key ca.key -out ca.crt

You can use the following command to view the certificate contents:

1

openssl x509 -in ca.crt -noout -text

This command displays the contents of the CA certificate in human-readable form. Verify that the information in the certificate looks correct.

save CA as P12

Following command convert a CA (Certificate Authority) certificate to a P12 format:

1

openssl pkcs12 -export -out ca.p12 -inkey ca.key -in ca.crt

In this command, ca.p12 is the name of the output file that will contain the converted P12 certificate. ca.key is the private key file that corresponds to the CA certificate. And ca.crt is the original CA certificate file in PEM format. You will then be prompted to set a password for the P12 file.

In Surge, P12 is convert to text using base64:

1

base64 -i ca.p12

you can recover it to p12 as following:

echo "BASE64-ENCODED-TEXT" | base64 -d > ca.p12

Convert P12 to CA

you can recover ca.p12 to ca.key and ca.crt using following command:

1
2
3


openssl pkcs12 -in ca.p12 -out ca.key -nocerts
openssl pkcs12 -in ca.p12 -out ca.crt -nokeys

The first command extracts the encrypted private key from the PKCS12 file and saves it to ca.key. The -nocerts option tells OpenSSL to exclude the certificate from the output. During the command execution, OpenSSL will prompt you to enter the password that was used to encrypt the private key.

The second command extracts the certificate from the PKCS12 file and saves it to ca.crt. The -nokeys option tells OpenSSL to exclude the private key from the output.

Generate and sign certificate with CA

Now that you have a CA certificate, you can use it to sign other certificates. To demonstrate, we'll create a new server certificate and sign it using our CA certificate.

Creating server.san

First, we need create a config file server.san with a Subject Alternative Name (SAN) extension to include the information about your server, such as its Common Name (CN), Organization, and Location. The server.san file may look like:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

[req]
default_bits = 2048
default_md             = sha256
default_keyfile        = server.key
distinguished_name     = req_distinguished_name
x509_extensions        = v3_req
prompt                 = no
[req_distinguished_name]
countryName            = Country Name (2 letter code)
stateOrProvinceName    = State or Province Name (full name)
localityName           = Locality Name (eg, city)
organizationName       = Organization Name (eg, company)
commonName             = Common Name (e.g. server FQDN or YOUR name)
[v3_req]
basicConstraints       = CA:FALSE
keyUsage               = digitalSignature, keyEncipherment
subjectAltName         = @alt_names
[alt_names]
DNS.1                  = example.com
DNS.2                  = www.example.com

The [v3_req] section is used to specify the default extensions for X.509 certificate requests. In this case, it includes the following options:

  • basicConstraints: This option specifies whether or not the certificate is a certificate authority (CA). The value CA:FALSE indicates that the certificate is not a CA.
  • keyUsage: This option specifies the allowed usages of the certificate. In this case, it indicates that the certificate can be used for digital signatures and key encipherment.
  • subjectAltName: This option specifies the subject alternative name (SAN) extension for the certificate. The value @alt_names refers to a new section that lists the alternative names that should be included in the SAN.

The [alt_names] section specifies the alternative names to include in the SAN extension. In this case, it lists two domains:

  • DNS.1: This specifies the primary domain name to include, which is example.com.
  • DNS.2: This specifies an additional domain name to include, which is www.example.com. ​

When creating an X.509 certificate with these options and values, the resulting certificate will include the specified SAN extension with the two domain names listed.

Creating server.key and server.csr

Enter the following command to create a private key and certificate signing request (CSR) for a server with the subject alternative name (SAN) specified:

1
2

openssl req -new -newkey rsa:2048 -nodes \
-config server.san -keyout server.key -out server.csr

This command generates a new RSA private key of 2048 bits and a Certificate Signing Request (CSR) for a server with the subject alternative name (SAN) specified in the configuration file server.san. The private key is saved in the server.key file, and the CSR is saved in the server.csr file.

  • newkey rsa:2048 option specifies that a new RSA key pair will be generated with a key size of 2048 bits.

  • nodes option specifies that the private key should not be encrypted with a passphrase.

  • The command is also equavilant to:

    1
2
3

    openssl genrsa -out server.key 2048
openssl req -new -config server.san \
   -key server.key -out server.csr

Creating server.crt

Now that we have a CSR, we can sign it with our CA certificate. Enter the following command:

1
2
3
4

openssl x509 -req -days 365 \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in server.csr -out server.crt \
-extensions v3_req -extfile server.san

This command signs the CSR using our CA certificate (ca.crt) and private key (ca.key).

  • -req specifies that the input file is a Certificate Signing Request (CSR).
  • -days 365 specifies the validity period for the signed certificate (in this case, 1 year).
  • -CA ca.crt specifies the CA certificate to use for signing.
  • -CAkey ca.key specifies the private key of the CA.
  • -CAcreateserial specifies that a new serial number file should be created for the signed certificate.
  • -in server.csr option specifies the input file to be signed.
  • -out server.crt specifies the output file name for the signed certificate.

Review the signed server certificate you just created. You can use the following command to view the certificate contents:

1

openssl x509 -in server.crt -noout -text

This command displays the contents of the signed server certificate, including the information from your CSR, and the signature from the CA certificate.

That's it! You now have a CA, a CA certificate, and a signed server certificate. Keep the CA and CA certificate safe and secure, as they will be required to sign other certificates.

Summary

In summary, the step to Creating CA and Signing Certificates is following:

  1. Create two files ca.cnf and server.san which include configuration of CA and server's information.

  2. Creating ca.key and ca.crt

    1
2

    openssl req  -x509 -new -sha256 -days 3650 \
-config ca.cnf -keyout ca.key -out ca.crt

    view the certificate contents with

    1

    openssl x509 -in ca.crt -noout -text

  3. Convert between ca and p12

    1
2
3
4
5

    # convert to p12
openssl pkcs12 -export -out ca.p12 -inkey ca.key -in ca.crt
# convert from p12
openssl pkcs12 -in ca.p12 -out ca.key -nocerts
openssl pkcs12 -in ca.p12 -out ca.crt -nokeys

    Convert between p12 and text

    1
2
3
4

    # convert p12 to text
base64 -i ca.p12
# convert text to p12
echo "BASE64-ENCODED-TEXT" | base64 -d > ca.p12

  4. Create server.key and server.csr

    1
2

    openssl req -new -newkey rsa:2048 -nodes \
-config server.san -keyout server.key -out server.csr

  5. Create server.crt

    1
2
3
4

    openssl x509 -req -days 365 \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in server.csr -out server.crt \
-extensions v3_req -extfile server.san

    View server.crt

    1

    openssl x509 -in server.crt -noout -text
updatedupdated2023-06-052023-06-05
abd4ce1
Update https-ca.md
Edit Me?

相关文章: