OpenSSL PKI

From Frotmail Projects
Jump to navigation Jump to search

rootca.conf

[ default ]
ca                      = Frotmail.nl-ClientSSL # CA name
dir                     = .                     # Top dir
base_url                = http://ssl.frotmail.nl   # CA base URL
aia_url                 = $base_url/$ca.cer     # CA certificate URL
crl_url                 = $base_url/$ca.crl     # CRL distribution point
name_opt                = multiline,-esc_msb,utf8 # Display UTF-8 characters

# CA certificate request
[ req ]
default_bits            = 2048                  # RSA key size
encrypt_key             = no                   # Protect private key
default_md              = sha256                # MD to use
utf8                    = yes                   # Input is UTF-8
string_mask             = utf8only              # Emit UTF-8 strings
prompt                  = no                    # Don't prompt for DN
distinguished_name      = ca_dn                 # DN section
req_extensions          = ca_reqext             # Desired extensions

[ ca_dn ]
countryName             = "NL"
organizationName        = "Frotmail.nl"
organizationalUnitName  = "ClientSSL"
commonName              = "clients.frotmail.nl"

[ ca_reqext ]
keyUsage                = critical,keyCertSign,cRLSign
basicConstraints        = critical,CA:true
subjectKeyIdentifier    = hash

# CA operational settings
[ ca ]
default_ca              = root_ca               # The default CA section

[ root_ca ]
certificate             = $dir/$ca.crt          # The CA cert
private_key             = $dir/$ca.key          # CA private key
new_certs_dir           = $dir/newcerts         # Certificate archive
serial                  = $dir/$ca.crt.srl      # Serial number file
crlnumber               = $dir/$ca.crl.srl      # CRL number file
database                = $dir/$ca.db           # Index file
unique_subject          = no                    # Require unique subject
default_days            = 3652                  # How long to certify for
default_md              = sha256                  # MD to use
policy                  = match_pol             # Default naming policy
email_in_dn             = no                    # Add email to cert DN
preserve                = no                    # Keep passed DN ordering
name_opt                = $name_opt             # Subject DN display options
cert_opt                = ca_default            # Certificate display options
copy_extensions         = none                  # Copy extensions from CSR
x509_extensions         = ca_ext                # Default cert extensions
default_crl_days        = 365                   # How long before next CRL
crl_extensions          = crl_ext               # CRL extensions

[ match_pol ]
countryName             = match                 # Must match 'NO'
stateOrProvinceName     = optional              # Included if present
localityName            = optional              # Included if present
organizationName        = match                 # Must match 'Green AS'
organizationalUnitName  = optional              # Included if present
commonName              = supplied              # Must be present

[ any_pol ]
domainComponent         = optional
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = optional
emailAddress            = optional

# Extensions
[ ca_ext ]
keyUsage                = critical,keyCertSign,cRLSign
basicConstraints        = critical,CA:true,pathlen:0
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always
authorityInfoAccess     = @issuer_info
crlDistributionPoints   = @crl_info

[ client_ext ]
keyUsage                = critical,digitalSignature
basicConstraints        = CA:false
extendedKeyUsage        = clientAuth
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always
authorityInfoAccess     = @issuer_info
crlDistributionPoints   = @crl_info

[ crl_ext ]
authorityKeyIdentifier  = keyid:always
authorityInfoAccess     = @issuer_info

[ issuer_info ]
caIssuers;URI.0         = $aia_url

[ crl_info ]
URI.0                   = $crl_url

client.conf

# TLS client certificate request

[ req ]
default_bits            = 2048                  # RSA key size
#encrypt_key             = yes                   # Protect private key
default_md              = sha1                  # MD to use
utf8                    = yes                   # Input is UTF-8
string_mask             = utf8only              # Emit UTF-8 strings
prompt                  = yes                   # Prompt for DN
distinguished_name      = client_dn             # DN template
req_extensions          = client_reqext         # Desired extensions

[ client_dn ]
countryName             = "1. Country Name (2 letters)     "
countryName_max         = 2
countryName_default     = NL
stateOrProvinceName     = "2. State or Province Name       "
stateOrProvinceName_default = Oirschot
localityName            = "3. Locality Name                "
organizationName        = "4. Organization Name            "
organizationName_default= Frotmail.nl
organizationalUnitName  = "5. Organizational Unit Name     "
organizationalUnitName_default = ClientSSL
commonName              = "6. Common Name (Username)       "
commonName_max          = 64
#emailAddress            = "7. Email Address             (eg, name@fqdn)"
#emailAddress_max        = 40

[ client_reqext ]
keyUsage                = critical,digitalSignature
extendedKeyUsage        = clientAuth
subjectKeyIdentifier    = hash

Commands

Create directories

mkdir -p newcerts

Create database

touch $ca.db
touch $ca.db.attr
echo 01 > $ca.crt.srl
echo 01 > $ca.crl.srl

Create CA request

openssl req -new \
-config rootca.conf \
-out $ca.csr \
-keyout $ca.key

We create a private key and a CSR for the TLS CA. The configuration is taken from the [req] section of the TLS CA configuration file.

Create CA certificate

openssl ca -selfsign \
-config rootca.conf \
-in $ca.csr \
-out $ca.crt \
-extensions signing_ca_ext

We use the root CA to issue the TLS CA certificate.

Create initial CRL

openssl ca -gencrl \
-config ca.conf \
-out $ca.crl

We create an empty CRL.

client

#!/bin/bash
if [ -z "$1" ]
then
  echo "Usage: $0 [username]"
else
  rm $1.*
  openssl genrsa -out $1.key 2048
  openssl req -new -config client.conf -out $1.csr -key $1.key
  openssl ca -config rootca.conf -in $1.csr -out $1.crt -extensions client_ext
  openssl pkcs12 -export -inkey $1.key -in $1.crt -out $1.pfx
  rm $1.csr
  rm $1.key
  rm $1.crt
fi