How to setup your own Certificate Authority =========================================== Note: this howto requires the openssl binary, as well as classic UNIX tools (cat, touch, echo). If you use Windows, please consider installing Cygwin -- see http://cygwin.com/ 1. Configure OpenSSL -------------------- First of all, create sslconf.txt in the current directory (a basic example is provided at the end of this file). cat > sslconf.txt <<"EOF" [paste contents here] EOF Then you need to create the database and a starting serial number: touch index echo "01" > serial mkdir newcerts 2. Generate the CA certificate ------------------------------ openssl req -config sslconf.txt -days 3653 -x509 -newkey rsa:2048 \ -set_serial 0 -text -keyout test-ca.key -out test-ca.crt 3. Generate the private keys and certificate requests ----------------------------------------------------- openssl genrsa -out server1.key 2048 openssl genrsa -out server2.key 2048 openssl genrsa -out client1.key 2048 openssl genrsa -out client2.key 2048 openssl req -config sslconf.txt -new -key server1.key -out server1.req openssl req -config sslconf.txt -new -key server2.key -out server2.req openssl req -config sslconf.txt -new -key client1.key -out client1.req openssl req -config sslconf.txt -new -key client2.key -out client2.req 4. Issue and sign the certificates ---------------------------------- openssl ca -config sslconf.txt -in server1.req -out server1.crt openssl ca -config sslconf.txt -in server2.req -out server2.crt openssl ca -config sslconf.txt -in client1.req -out client1.crt openssl ca -config sslconf.txt -in client2.req -out client2.crt 5. To revoke a certificate and update the CRL --------------------------------------------- openssl ca -config sslconf.txt -revoke server1.crt openssl ca -config sslconf.txt -revoke client1.crt openssl ca -config sslconf.txt -gencrl -out crl.pem 6. To display a certificate and verify its validity --------------------------------------------------- openssl x509 -in server2.crt -text -noout cat test-ca.crt crl.pem > ca_crl.pem openssl verify -CAfile ca_crl.pem -crl_check server2.crt rm ca_crl.pem 7. To export a certificate into a .pfx file ------------------------------------------- openssl pkcs12 -export -in client2.crt -inkey client2.key \ -out client2.pfx ##================================================================ ##============== Example OpenSSL configuration file ============== ##================================================================ # References: # # /etc/ssl/openssl.conf # http://www.openssl.org/docs/apps/config.html # http://www.openssl.org/docs/apps/x509v3_config.html [ ca ] default_ca = my_ca [ my_ca ] certificate = test-ca.crt private_key = test-ca.key database = index serial = serial new_certs_dir = newcerts default_crl_days = 60 default_days = 730 default_md = sha1 policy = my_policy x509_extensions = v3_usr [ my_policy ] countryName = optional stateOrProvinceName = optional organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] distinguished_name = my_req_dn x509_extensions = v3_ca [ my_req_dn ] countryName = Country Name.............. countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name.... localityName = Locality Name............. 0.organizationName = Organization Name......... organizationalUnitName = Org. Unit Name............ commonName = Common Name (required).... commonName_max = 64 emailAddress = Email Address............. emailAddress_max = 64 [ v3_ca ] basicConstraints = CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always [ v3_usr ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer