OpenSSL PKI
rootca.conf
[ default ] ca = Frotmail.nl-ClientSSL # CA name dir = . # Top dir base_url = http://ssl.frotmail.nl # CA base URL aia_url = $base_url/$ca.cer # CA certificate URL crl_url = $base_url/$ca.crl # CRL distribution point name_opt = multiline,-esc_msb,utf8 # Display UTF-8 characters # CA certificate request [ req ] default_bits = 2048 # RSA key size encrypt_key = no # Protect private key default_md = sha256 # MD to use utf8 = yes # Input is UTF-8 string_mask = utf8only # Emit UTF-8 strings prompt = no # Don't prompt for DN distinguished_name = ca_dn # DN section req_extensions = ca_reqext # Desired extensions [ ca_dn ] countryName = "NL" organizationName = "Frotmail.nl" organizationalUnitName = "ClientSSL" commonName = "clients.frotmail.nl" [ ca_reqext ] keyUsage = critical,keyCertSign,cRLSign basicConstraints = critical,CA:true subjectKeyIdentifier = hash # CA operational settings [ ca ] default_ca = root_ca # The default CA section [ root_ca ] certificate = $dir/$ca.crt # The CA cert private_key = $dir/$ca.key # CA private key new_certs_dir = $dir/newcerts # Certificate archive serial = $dir/$ca.crt.srl # Serial number file crlnumber = $dir/$ca.crl.srl # CRL number file database = $dir/$ca.db # Index file unique_subject = no # Require unique subject default_days = 3652 # How long to certify for default_md = sha256 # MD to use policy = match_pol # Default naming policy email_in_dn = no # Add email to cert DN preserve = no # Keep passed DN ordering name_opt = $name_opt # Subject DN display options cert_opt = ca_default # Certificate display options copy_extensions = none # Copy extensions from CSR x509_extensions = ca_ext # Default cert extensions default_crl_days = 365 # How long before next CRL crl_extensions = crl_ext # CRL extensions [ match_pol ] countryName = match # Must match 'NO' stateOrProvinceName = optional # Included if present localityName = optional # Included if present organizationName = match # Must match 'Green AS' organizationalUnitName = optional # Included if present commonName = supplied # Must be present [ any_pol ] domainComponent = optional countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = optional emailAddress = optional # Extensions [ ca_ext ] keyUsage = critical,keyCertSign,cRLSign basicConstraints = critical,CA:true,pathlen:0 subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always authorityInfoAccess = @issuer_info crlDistributionPoints = @crl_info [ client_ext ] keyUsage = critical,digitalSignature basicConstraints = CA:false extendedKeyUsage = clientAuth subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always authorityInfoAccess = @issuer_info crlDistributionPoints = @crl_info [ crl_ext ] authorityKeyIdentifier = keyid:always authorityInfoAccess = @issuer_info [ issuer_info ] caIssuers;URI.0 = $aia_url [ crl_info ] URI.0 = $crl_url
client.conf
# TLS client certificate request [ req ] default_bits = 2048 # RSA key size #encrypt_key = yes # Protect private key default_md = sha1 # MD to use utf8 = yes # Input is UTF-8 string_mask = utf8only # Emit UTF-8 strings prompt = yes # Prompt for DN distinguished_name = client_dn # DN template req_extensions = client_reqext # Desired extensions [ client_dn ] countryName = "1. Country Name (2 letters) " countryName_max = 2 countryName_default = NL stateOrProvinceName = "2. State or Province Name " stateOrProvinceName_default = Oirschot localityName = "3. Locality Name " organizationName = "4. Organization Name " organizationName_default= Frotmail.nl organizationalUnitName = "5. Organizational Unit Name " organizationalUnitName_default = ClientSSL commonName = "6. Common Name (Username) " commonName_max = 64 #emailAddress = "7. Email Address (eg, name@fqdn)" #emailAddress_max = 40 [ client_reqext ] keyUsage = critical,digitalSignature extendedKeyUsage = clientAuth subjectKeyIdentifier = hash
Commands
Create directories
mkdir -p newcerts
Create database
touch $ca.db touch $ca.db.attr echo 01 > $ca.crt.srl echo 01 > $ca.crl.srl
Create CA request
openssl req -new \ -config rootca.conf \ -out $ca.csr \ -keyout $ca.key
We create a private key and a CSR for the TLS CA. The configuration is taken from the [req] section of the TLS CA configuration file.
Create CA certificate
openssl ca -selfsign \ -config rootca.conf \ -in $ca.csr \ -out $ca.crt \ -extensions signing_ca_ext
We use the root CA to issue the TLS CA certificate.
Create initial CRL
openssl ca -gencrl \ -config ca.conf \ -out $ca.crl
We create an empty CRL.
client
#!/bin/bash if [ -z "$1" ] then echo "Usage: $0 [username]" else rm $1.* openssl genrsa -out $1.key 2048 openssl req -new -config client.conf -out $1.csr -key $1.key openssl ca -config rootca.conf -in $1.csr -out $1.crt -extensions client_ext openssl pkcs12 -export -inkey $1.key -in $1.crt -out $1.pfx rm $1.csr rm $1.key rm $1.crt fi