https://wiki.frotmail.nl/index.php?action=history&feed=atom&title=OpenSSL_PKI
OpenSSL PKI - Revision history
2026-06-15T08:00:29Z
Revision history for this page on the wiki
MediaWiki 1.45.3
https://wiki.frotmail.nl/index.php?title=OpenSSL_PKI&diff=94&oldid=prev
Eric: Created page with "rootca.conf [ default ] ca = Frotmail.nl-ClientSSL # CA name dir = . # Top dir base_url = http://ssl.frotmail.nl # CA base URL aia_url = $base_url/$ca.cer # CA certificate URL crl_url = $base_url/$ca.crl # CRL distribution point name_opt = multiline,-esc_msb,utf8 # Display UTF-8 characters # CA certificate request [ req ] defaul..."
2022-04-05T09:36:54Z
<p>Created page with "rootca.conf [ default ] ca = Frotmail.nl-ClientSSL # CA name dir = . # Top dir base_url = http://ssl.frotmail.nl # CA base URL aia_url = $base_url/$ca.cer # CA certificate URL crl_url = $base_url/$ca.crl # CRL distribution point name_opt = multiline,-esc_msb,utf8 # Display UTF-8 characters # CA certificate request [ req ] defaul..."</p>
<p><b>New page</b></p><div>rootca.conf<br />
[ default ]<br />
ca = Frotmail.nl-ClientSSL # CA name<br />
dir = . # Top dir<br />
base_url = http://ssl.frotmail.nl # CA base URL<br />
aia_url = $base_url/$ca.cer # CA certificate URL<br />
crl_url = $base_url/$ca.crl # CRL distribution point<br />
name_opt = multiline,-esc_msb,utf8 # Display UTF-8 characters<br />
<br />
# CA certificate request<br />
[ req ]<br />
default_bits = 2048 # RSA key size<br />
encrypt_key = no # Protect private key<br />
default_md = sha256 # MD to use<br />
utf8 = yes # Input is UTF-8<br />
string_mask = utf8only # Emit UTF-8 strings<br />
prompt = no # Don't prompt for DN<br />
distinguished_name = ca_dn # DN section<br />
req_extensions = ca_reqext # Desired extensions<br />
<br />
[ ca_dn ]<br />
countryName = "NL"<br />
organizationName = "Frotmail.nl"<br />
organizationalUnitName = "ClientSSL"<br />
commonName = "clients.frotmail.nl"<br />
<br />
[ ca_reqext ]<br />
keyUsage = critical,keyCertSign,cRLSign<br />
basicConstraints = critical,CA:true<br />
subjectKeyIdentifier = hash<br />
<br />
# CA operational settings<br />
[ ca ]<br />
default_ca = root_ca # The default CA section<br />
<br />
[ root_ca ]<br />
certificate = $dir/$ca.crt # The CA cert<br />
private_key = $dir/$ca.key # CA private key<br />
new_certs_dir = $dir/newcerts # Certificate archive<br />
serial = $dir/$ca.crt.srl # Serial number file<br />
crlnumber = $dir/$ca.crl.srl # CRL number file<br />
database = $dir/$ca.db # Index file<br />
unique_subject = no # Require unique subject<br />
default_days = 3652 # How long to certify for<br />
default_md = sha256 # MD to use<br />
policy = match_pol # Default naming policy<br />
email_in_dn = no # Add email to cert DN<br />
preserve = no # Keep passed DN ordering<br />
name_opt = $name_opt # Subject DN display options<br />
cert_opt = ca_default # Certificate display options<br />
copy_extensions = none # Copy extensions from CSR<br />
x509_extensions = ca_ext # Default cert extensions<br />
default_crl_days = 365 # How long before next CRL<br />
crl_extensions = crl_ext # CRL extensions<br />
<br />
[ match_pol ]<br />
countryName = match # Must match 'NO'<br />
stateOrProvinceName = optional # Included if present<br />
localityName = optional # Included if present<br />
organizationName = match # Must match 'Green AS'<br />
organizationalUnitName = optional # Included if present<br />
commonName = supplied # Must be present<br />
<br />
[ any_pol ]<br />
domainComponent = optional<br />
countryName = optional<br />
stateOrProvinceName = optional<br />
localityName = optional<br />
organizationName = optional<br />
organizationalUnitName = optional<br />
commonName = optional<br />
emailAddress = optional<br />
<br />
# Extensions<br />
[ ca_ext ]<br />
keyUsage = critical,keyCertSign,cRLSign<br />
basicConstraints = critical,CA:true,pathlen:0<br />
subjectKeyIdentifier = hash<br />
authorityKeyIdentifier = keyid:always<br />
authorityInfoAccess = @issuer_info<br />
crlDistributionPoints = @crl_info<br />
<br />
[ client_ext ]<br />
keyUsage = critical,digitalSignature<br />
basicConstraints = CA:false<br />
extendedKeyUsage = clientAuth<br />
subjectKeyIdentifier = hash<br />
authorityKeyIdentifier = keyid:always<br />
authorityInfoAccess = @issuer_info<br />
crlDistributionPoints = @crl_info<br />
<br />
[ crl_ext ]<br />
authorityKeyIdentifier = keyid:always<br />
authorityInfoAccess = @issuer_info<br />
<br />
[ issuer_info ]<br />
caIssuers;URI.0 = $aia_url<br />
<br />
[ crl_info ]<br />
URI.0 = $crl_url<br />
<br />
client.conf<br />
# TLS client certificate request<br />
<br />
[ req ]<br />
default_bits = 2048 # RSA key size<br />
#encrypt_key = yes # Protect private key<br />
default_md = sha1 # MD to use<br />
utf8 = yes # Input is UTF-8<br />
string_mask = utf8only # Emit UTF-8 strings<br />
prompt = yes # Prompt for DN<br />
distinguished_name = client_dn # DN template<br />
req_extensions = client_reqext # Desired extensions<br />
<br />
[ client_dn ]<br />
countryName = "1. Country Name (2 letters) "<br />
countryName_max = 2<br />
countryName_default = NL<br />
stateOrProvinceName = "2. State or Province Name "<br />
stateOrProvinceName_default = Oirschot<br />
localityName = "3. Locality Name "<br />
organizationName = "4. Organization Name "<br />
organizationName_default= Frotmail.nl<br />
organizationalUnitName = "5. Organizational Unit Name "<br />
organizationalUnitName_default = ClientSSL<br />
commonName = "6. Common Name (Username) "<br />
commonName_max = 64<br />
#emailAddress = "7. Email Address (eg, name@fqdn)"<br />
#emailAddress_max = 40<br />
<br />
[ client_reqext ]<br />
keyUsage = critical,digitalSignature<br />
extendedKeyUsage = clientAuth<br />
subjectKeyIdentifier = hash<br />
<br />
=Commands=<br />
Create directories<br />
mkdir -p newcerts<br />
<br />
Create database<br />
touch $ca.db<br />
touch $ca.db.attr<br />
echo 01 > $ca.crt.srl<br />
echo 01 > $ca.crl.srl<br />
<br />
Create CA request<br />
openssl req -new \<br />
-config rootca.conf \<br />
-out $ca.csr \<br />
-keyout $ca.key<br />
We create a private key and a CSR for the TLS CA. The configuration is taken from the [req] section of the TLS CA<br />
configuration file.<br />
<br />
Create CA certificate<br />
openssl ca -selfsign \<br />
-config rootca.conf \<br />
-in $ca.csr \<br />
-out $ca.crt \<br />
-extensions signing_ca_ext<br />
We use the root CA to issue the TLS CA certificate.<br />
<br />
Create initial CRL<br />
openssl ca -gencrl \<br />
-config ca.conf \<br />
-out $ca.crl<br />
We create an empty CRL.<br />
<br />
=client=<br />
#!/bin/bash<br />
if [ -z "$1" ]<br />
then<br />
echo "Usage: $0 [username]"<br />
else<br />
rm $1.*<br />
openssl genrsa -out $1.key 2048<br />
openssl req -new -config client.conf -out $1.csr -key $1.key<br />
openssl ca -config rootca.conf -in $1.csr -out $1.crt -extensions client_ext<br />
openssl pkcs12 -export -inkey $1.key -in $1.crt -out $1.pfx<br />
rm $1.csr<br />
rm $1.key<br />
rm $1.crt<br />
fi</div>
Eric