Â
- OpenSSL config file stores various options for the OpenSSL library and utilities.
- Location →
/opt/openssl-3.0.0/ssl/openssl.cnf
or/etc/ssl/openssl.cnf
- Ususal to create custom config file representing a particular CA such as root CA or an intermediate CA instead of using the default openssl config file
- Preferable to specify most parameters for the openssl ca subcommand in the config file rather than in the command line.
- If both parameters are mentioned in the config file and the command line, then the command line takes precedence.
- OpenSSL CA subcommand can:
- issue certs
- revoke certs
- generate CRLs
Â
Generating Root CA Certficate
Â
- Let’s make a
mini-ca
directory where we will put all our CA-related files
mkdir mini-ca cd mini-ca
- Inside the
min-ca
dir we will create theroot
dir for the files related to the root CA
mkdir root cd roo
- Inside the
root
directory we will create a dir for issued certs, a cert index file and a CRL number file
mkdir issued echo -n > index.txt echo 01 > crlnumber.txt
- Now we have to make a config file for our root CA; we will name this file
root.cnf
[ca] default_ca = CA_default [CA_default] database = index.txt new_certs_dir = issued certificate = root_cert.pem private_key = private/root_keypair.pem default_days = 3650 default_md = default rand_serial = yes unique_subject = no name_opt = ca_default cert_opt = ca_default policy = policy_intermediate_cert x509_extensions = v3_intermediate_cert copy_extensions = copy crl_extensions = crl_extensions_root_ca crlnumber = crlnumber.txt default_crl_days = 30 [req] prompt = no distinguished_name = distinguished_name_root_cert [distinguished_name_root_cert] countryName = NO stateOrProvinceName = Oslo localityName = Oslo organizationName = TLS Experts commonName = Root CA [policy_intermediate_cert] countryName = match stateOrProvinceName = match localityName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [v3_root_cert] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer basicConstraints = critical, CA:TRUE keyUsage = critical, digitalSignature, cRLSign, keyCertSign crlDistributionPoints = URI:http://crl.tls-experts.no/root_crl.der [v3_intermediate_cert] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer basicConstraints = critical, CA:TRUE, pathlen:0 keyUsage = critical, digitalSignature, cRLSign, keyCertSign crlDistributionPoints = URI:http://crl.tls-experts.no/root_crl.der [crl_extensions_root_ca] authorityKeyIdentifier = keyid:always, issuer crlDistributionPoints = URI:http://crl.tls-experts.no/root_crl.der
Â
database → Certificate database text file where each line has info about 1 cert
new_certs_dir → Directory to store new certs
default_md → Default Message Digest Parameter. Putting
deault
means that the same message digest algorithm that was used in a signing cert will be used in the signed cert.rand_serial → Instructs CA to issue certs with random serial numbers
policy → Specifies the config section that defines the default issued cert’s Subject policy
copy_extensions ⇒ Instructs OpenSSL to copy x509v3 extensions from the CSR
Â
- Generate Root CA Keypair
mkdir private chmod 0700 private openssl genpkey -algorithm ED448 -out private/root_keypair.pem
- Generate Root CA CSR
openssl req -config root.cnf -new -key private/root_keypair.pem -out root_csr.pem -text
Note: We have not supplied the Root Cert’s Subject line. The
openssl req
will figure out outh the Subject from the root.cnf
file.- Issue Root CA Cert
openssl ca -config root.cnf -extensions v3_root_cert -selfsign -in root_csr.pem -out root_cert.pem
After issuing the certificate
openssl ca
saves a copy of the issued cert in the issued
directoryÂ
Â
Generate An Intermediate CA
Â
Place a directory called
intermediate
and place it in the same level as root
inside the mini-ca
dirÂ
- Let’s generate all the required file
cd mini-ca mkdir intermediate cd intermediate mkdir issued echo -n >index.txt echo 01 >crlnumber.txt
- An example of
intermediate.cnf
file
[ca] default_ca = CA_default [CA_default] database = index.txt new_certs_dir = issued certificate = intermediate_cert.pem private_key = private/intermediate_keypair.pem default_days = 365 default_md = default rand_serial = yes unique_subject = no name_opt = ca_default cert_opt = ca_default policy = policy_server_cert x509_extensions = v3_server_cert copy_extensions = copy crl_extensions = crl_extensions_intermediate_ca crlnumber = crlnumber.txt default_crl_days = 30 [req] prompt = no distinguished_name = distinguished_name_intermediate_cert [distinguished_name_intermediate_cert] countryName = NO stateOrProvinceName = Oslo localityName = Oslo organizationName = TLS Experts commonName = Intermediate CA [policy_server_cert] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [policy_client_cert] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = supplied [v3_server_cert] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer basicConstraints = critical, CA:FALSE nsCertType = server keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth crlDistributionPoints = URI:http://crl.tls-experts.no/intermediate_crl.der authorityInfoAccess = OCSP;URI:http://ocsp.tls-experts.no/ [v3_client_cert] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer basicConstraints = critical, CA:FALSE nsCertType = client, email keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, emailProtection crlDistributionPoints = URI:http://crl.tls-experts.no/intermediate_crl.der authorityInfoAccess = OCSP;URI:http://ocsp.tls-experts.no/ [v3_ocsp_cert] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer basicConstraints = critical, CA:FALSE keyUsage = critical, digitalSignature extendedKeyUsage = critical, OCSPSigning crlDistributionPoints = URI:http://crl.tls-experts.no/intermediate_crl.der authorityInfoAccess = OCSP;URI:http://ocsp.tls-experts.no/ [crl_extensions_intermediate_ca] authorityKeyIdentifier = keyid:always, issuer crlDistributionPoints = URI:http://crl.tls-experts.no/intermediate_crl.der authorityInfoAccess = OCSP;URI:http://ocsp.tls-experts.no/
- Let’s generate Intermediate CA keypair and CSR
mkdir private chmod 0700 private openssl genpkey -algorithm ED448 -out private/intermediate_keypair.pem openssl req -config intermediate.cnf -new -key private/intermediate_keypair.pem -out intermediate_csr.pem -text
Â
- Next step is to issue the intermediate CA certificate. But this must be issued by the root CA. Therefore we will issue it from the
root
directory
cd ../root/ openssl ca -config root.cnf -extensions v3_intermediate_cert -in ../intermediate/intermediate_csr.pem -out ../intermediate/intermediate_cert.pem
Â
Â
Generating Certifiacete For Web Server
Â
- We will issue a leaf cert. We will need to create Ca-related files in it’s directory
cd mini-ca mkdir server cd server
- Server Config file
[req] prompt = no distinguished_name = distinguished_name_server_cert req_extensions = v3_server_cert [distinguished_name_server_cert] countryName = NO stateOrProvinceName = Oslo localityName = Oslo organizationName = TLS Experts commonName = internal.tls-experts.no [v3_server_cert] subjectAltName = DNS:mirror1.tls-experts.no, DNS:mirror2.tls-experts.no
- Generate Keypair and a CSR for our server certificate
mkdir private chmod 0700 private openssl genpkey -algorithm ED448 -out private/server_keypair.pem openssl req -config server.cnf -new -key private/server_keypair.pem -out server_csr.pem -text
Note: We did not supply -reqexts v3_server_cert option as this is the default extensions section in the
req_extensions
option in the config file- Generate Server Certificate
cd ../intermediate/ openssl ca -config intermediate.cnf -in ../server/server_csr.pem -out ../server/server_cert.pem
Â
Generate Certificate for Web And Email Client
Â
- Need to make directories
cd mini-ca mkdir client cd client
- Client Config
[req] prompt = no distinguished_name = distinguished_name_client_cert req_extensions = v3_client_cert [distinguished_name_client_cert] countryName = NO stateOrProvinceName = Oslo localityName = Oslo organizationName = TLS Experts commonName = Thor Odinson emailAddress = thor@tls-experts.no [v3_client_cert] subjectAltName = @subject_alt_names [subject_alt_names] email.1 = postmaster@tls-experts.no email.2 = hostmaster@tls-experts.no
- Let’s generate Cert Keypair and CSR
mkdir private chmod 0700 private openssl genpkey -algorithm ED448 -out private/client_keypair.pem openssl req -config client.cnf -new -key private/client_keypair.pem -out client_csr.pem -text
- Issue client cert
cd ../intermediate/ openssl ca -config intermediate.cnf -policy policy_client_cert -extensions v3_client_cert -in ../client/client_csr.pem -out ../client/client_cert.pem
For the client certificate the command is longer than the server because we have to supplu the
-policy
and -extensions
switches. The default polcy and extension sections are reserved for server certs because they are issued more often than client certs- One more thing that can be useful when making a client certificate is packaging the cert, its private key and verification chain into a public key crypto stands #12 (PKCS#12) container
cd ../client/ cat ../intermediate/intermediate_cert.pem ../root/root_cert.pem > certfile.pem openssl pkcs12 -export -inkey private/client_keypair.pem -in client_cert.pem -certfile certfile.pem -passout 'pass:SuperPa%%w0rd' -out client_cert.p12'
Â
Â
Revoking Certificates And Generating CRLs
Â
- Make directory for files
cd min-ca mkdir server2 cd server2
- Make a similar server2.cnf file
[req] prompt = no distinguished_name = distinguished_name_server_cert [distinguished_name_server_cert] countryName = NO stateOrProvinceName = Oslo localityName = Oslo organizationName = TLS Experts commonName = server2.tls-experts.no
- Next make the keypair, the CSR and the issue the certificate
mkdir private chmod 0700 private openssl genpkey -algorithm ED448 -out private/server2_keypair.pem openssl req -config server2.cnf -new -key private/server2_keypair.pem -out server2_csr.pem -out server2_csr.pem -text cd ../intermediate/ openssl ca -config intermediate.cnf -in ../server2/server2_csr.pem -out ../server2/server2_cert.pem
- Let’s generate a CRL when the server2 cert is not revoked yet
openssl ca -config intermediate.cnf -gencrl -out intermediate_crl.pem
- Let’s view the generated CRL as text
openssl crl -in intermediate_crl.pem -noout -text
This is a CRL with an X509v3 CRL number value of 1. This number has been taken from the crlnumber.txt file, which is configured by the crlnumber = crlnumber.txt line in the intermediate CA config file. File will also contain the next CRL number in hex format.
- As we see, the CRL contains no cert that are revoked. Let’s revoke server2 cert and regenerate the CRL
opessl ca -config intermediate.cnf -revoke ../server2/server2_cert.pem -crl_reason keyCompromise
- Regenerate CRL
openssl ca -config intermediate.cnf -gencrl -out intermediate_crl.pem
- Let’s inspect the updated CRL
openssl crl -in intermediate_crl.pem -noout -text
- Another useful this is to convert from Privacy-Enhanced Mail (PEM) format to the Distinguished Encoding Rules (DER) format because CRL distribution points usually server CRLs in the DER format
openssl crl -in intermediate_crl.pem -out intermediate_crl.der -outform DER
Â
Providing Cert Revocation Status via OCSP
Â
- To serve OCSP responses we have to sign them
- OCSP response for cert has to be signed by its issuer cert
- That cert must have OCSPSigning included int he X509v3 extendedKeyUsage extension
Â
- Let’s make the directories
cd mini-ca mkdir ocsp cd ocsp
- OCSP Configuration File
[req] prompt = no distinguished_name = distinguished_name_ocsp_cert [distinguished_name_ocsp_cert] countryName = NO stateOrProvinceName = Oslo localityName = Oslo organizationName = TLS Experts commonName = OCSP Responder
- Let’s create the OCSP responder cert
mkdir private chmod 0700 private openssl genpkey -algorithm ED448 -out private/ocsp_keypair.pem openssl req -config ocsp.cnf -new -key private/ocsp_keypair.pem -out ocsp_csr.pem -text cd ../intermediate/ openssl ca -config intermediate.cnf -in ../ocsp/ocsp_csr.pem -out ../ocsp/ocsp_cert.pem
The generated cert can be used by an OCSP responder.
The
openssl ocsp
subcommand can act as a simple OCSP server.- Let’s start our test OCSP server from the ocsp dir
cd ../ocsp/ openssl ocsp -port 4480 -index ../intermediate/index.txt -CA ../intermediate/intermediate_cert.pem -rkey private/ocsp_keypair.pem -rsigner ocsp_cert.pem
- The
openssl OCSP
can also act as a client. Let’s use it in client mode and check the validity of the server cert. Let’s open another terminal and changet to themini-ca/ocsp
dir
openssl ocsp -url http://localhost:4480 -sha256 -CAfile ../root/root_cert.pem -issuer ../intermediate/intermediate_cert.pem -cert ../server/server_cert.pem
As we can see the OCSP server has confirmed the validity of the server cert
- Let’s check the status of the server2 cert
openssl ocsp -url http://localhost:4480 -sha256 -CAfile ../root/root_cert.pem -issuer ../intermediate/intermediate_cert.pem -cert ../server2/server2_cert.pem
Â
Â