🧃

Running A Mini CA


 
  • OpenSSL config file stores various options for the OpenSSL library and utilities.
  • Location → /opt/openssl-3.0.0/ssl/openssl.cnf or /etc/ssl/openssl.cnf
  • Ususal to create custom config file representing a particular CA such as root CA or an intermediate CA instead of using the default openssl config file
  • Preferable to specify most parameters for the openssl ca subcommand in the config file rather than in the command line.
  • If both parameters are mentioned in the config file and the command line, then the command line takes precedence.
  • OpenSSL CA subcommand can:
    • issue certs
    • revoke certs
    • generate CRLs
 

Generating Root CA Certficate

 
  1. Let’s make a mini-ca directory where we will put all our CA-related files
    1. mkdir mini-ca cd mini-ca
  1. Inside the min-ca dir we will create the root dir for the files related to the root CA
    1. mkdir root cd roo
  1. Inside the root directory we will create a dir for issued certs, a cert index file and a CRL number file
    1. mkdir issued echo -n > index.txt echo 01 > crlnumber.txt
  1. Now we have to make a config file for our root CA; we will name this file root.cnf
    1. [ca] default_ca = CA_default [CA_default] database = index.txt new_certs_dir = issued certificate = root_cert.pem private_key = private/root_keypair.pem default_days = 3650 default_md = default rand_serial = yes unique_subject = no name_opt = ca_default cert_opt = ca_default policy = policy_intermediate_cert x509_extensions = v3_intermediate_cert copy_extensions = copy crl_extensions = crl_extensions_root_ca crlnumber = crlnumber.txt default_crl_days = 30 [req] prompt = no distinguished_name = distinguished_name_root_cert [distinguished_name_root_cert] countryName = NO stateOrProvinceName = Oslo localityName = Oslo organizationName = TLS Experts commonName = Root CA [policy_intermediate_cert] countryName = match stateOrProvinceName = match localityName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [v3_root_cert] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer basicConstraints = critical, CA:TRUE keyUsage = critical, digitalSignature, cRLSign, keyCertSign crlDistributionPoints = URI:http://crl.tls-experts.no/root_crl.der [v3_intermediate_cert] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer basicConstraints = critical, CA:TRUE, pathlen:0 keyUsage = critical, digitalSignature, cRLSign, keyCertSign crlDistributionPoints = URI:http://crl.tls-experts.no/root_crl.der [crl_extensions_root_ca] authorityKeyIdentifier = keyid:always, issuer crlDistributionPoints = URI:http://crl.tls-experts.no/root_crl.der
       
      database → Certificate database text file where each line has info about 1 cert
      new_certs_dir → Directory to store new certs
      default_md → Default Message Digest Parameter. Putting deault means that the same message digest algorithm that was used in a signing cert will be used in the signed cert.
      rand_serial → Instructs CA to issue certs with random serial numbers
      policy → Specifies the config section that defines the default issued cert’s Subject policy
      copy_extensions ⇒ Instructs OpenSSL to copy x509v3 extensions from the CSR
 
  1. Generate Root CA Keypair
    1. mkdir private chmod 0700 private openssl genpkey -algorithm ED448 -out private/root_keypair.pem
  1. Generate Root CA CSR
    1. openssl req -config root.cnf -new -key private/root_keypair.pem -out root_csr.pem -text
      Note: We have not supplied the Root Cert’s Subject line. The openssl req will figure out outh the Subject from the root.cnf file.
  1. Issue Root CA Cert
    1. openssl ca -config root.cnf -extensions v3_root_cert -selfsign -in root_csr.pem -out root_cert.pem
      After issuing the certificate openssl ca saves a copy of the issued cert in the issued directory
 
 

Generate An Intermediate CA

 
Place a directory called intermediate and place it in the same level as root inside the mini-ca dir
 
  1. Let’s generate all the required file
    1. cd mini-ca mkdir intermediate cd intermediate mkdir issued echo -n >index.txt echo 01 >crlnumber.txt
  1. An example of intermediate.cnf file
    1. [ca] default_ca = CA_default [CA_default] database = index.txt new_certs_dir = issued certificate = intermediate_cert.pem private_key = private/intermediate_keypair.pem default_days = 365 default_md = default rand_serial = yes unique_subject = no name_opt = ca_default cert_opt = ca_default policy = policy_server_cert x509_extensions = v3_server_cert copy_extensions = copy crl_extensions = crl_extensions_intermediate_ca crlnumber = crlnumber.txt default_crl_days = 30 [req] prompt = no distinguished_name = distinguished_name_intermediate_cert [distinguished_name_intermediate_cert] countryName = NO stateOrProvinceName = Oslo localityName = Oslo organizationName = TLS Experts commonName = Intermediate CA [policy_server_cert] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [policy_client_cert] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = supplied [v3_server_cert] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer basicConstraints = critical, CA:FALSE nsCertType = server keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth crlDistributionPoints = URI:http://crl.tls-experts.no/intermediate_crl.der authorityInfoAccess = OCSP;URI:http://ocsp.tls-experts.no/ [v3_client_cert] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer basicConstraints = critical, CA:FALSE nsCertType = client, email keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, emailProtection crlDistributionPoints = URI:http://crl.tls-experts.no/intermediate_crl.der authorityInfoAccess = OCSP;URI:http://ocsp.tls-experts.no/ [v3_ocsp_cert] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer basicConstraints = critical, CA:FALSE keyUsage = critical, digitalSignature extendedKeyUsage = critical, OCSPSigning crlDistributionPoints = URI:http://crl.tls-experts.no/intermediate_crl.der authorityInfoAccess = OCSP;URI:http://ocsp.tls-experts.no/ [crl_extensions_intermediate_ca] authorityKeyIdentifier = keyid:always, issuer crlDistributionPoints = URI:http://crl.tls-experts.no/intermediate_crl.der authorityInfoAccess = OCSP;URI:http://ocsp.tls-experts.no/
  1. Let’s generate Intermediate CA keypair and CSR
    1. mkdir private chmod 0700 private openssl genpkey -algorithm ED448 -out private/intermediate_keypair.pem openssl req -config intermediate.cnf -new -key private/intermediate_keypair.pem -out intermediate_csr.pem -text
       
  1. Next step is to issue the intermediate CA certificate. But this must be issued by the root CA. Therefore we will issue it from the root directory
    1. cd ../root/ openssl ca -config root.cnf -extensions v3_intermediate_cert -in ../intermediate/intermediate_csr.pem -out ../intermediate/intermediate_cert.pem
       
 

Generating Certifiacete For Web Server

 
  1. We will issue a leaf cert. We will need to create Ca-related files in it’s directory
    1. cd mini-ca mkdir server cd server
  1. Server Config file
    1. [req] prompt = no distinguished_name = distinguished_name_server_cert req_extensions = v3_server_cert [distinguished_name_server_cert] countryName = NO stateOrProvinceName = Oslo localityName = Oslo organizationName = TLS Experts commonName = internal.tls-experts.no [v3_server_cert] subjectAltName = DNS:mirror1.tls-experts.no, DNS:mirror2.tls-experts.no
  1. Generate Keypair and a CSR for our server certificate
    1. mkdir private chmod 0700 private openssl genpkey -algorithm ED448 -out private/server_keypair.pem openssl req -config server.cnf -new -key private/server_keypair.pem -out server_csr.pem -text
      Note: We did not supply -reqexts v3_server_cert option as this is the default extensions section in the req_extensions option in the config file
  1. Generate Server Certificate
    1. cd ../intermediate/ openssl ca -config intermediate.cnf -in ../server/server_csr.pem -out ../server/server_cert.pem
 

Generate Certificate for Web And Email Client

 
  1. Need to make directories
    1. cd mini-ca mkdir client cd client
  1. Client Config
    1. [req] prompt = no distinguished_name = distinguished_name_client_cert req_extensions = v3_client_cert [distinguished_name_client_cert] countryName = NO stateOrProvinceName = Oslo localityName = Oslo organizationName = TLS Experts commonName = Thor Odinson emailAddress = thor@tls-experts.no [v3_client_cert] subjectAltName = @subject_alt_names [subject_alt_names] email.1 = postmaster@tls-experts.no email.2 = hostmaster@tls-experts.no
  1. Let’s generate Cert Keypair and CSR
    1. mkdir private chmod 0700 private openssl genpkey -algorithm ED448 -out private/client_keypair.pem openssl req -config client.cnf -new -key private/client_keypair.pem -out client_csr.pem -text
  1. Issue client cert
    1. cd ../intermediate/ openssl ca -config intermediate.cnf -policy policy_client_cert -extensions v3_client_cert -in ../client/client_csr.pem -out ../client/client_cert.pem
For the client certificate the command is longer than the server because we have to supplu the -policy and -extensions switches. The default polcy and extension sections are reserved for server certs because they are issued more often than client certs
  1. One more thing that can be useful when making a client certificate is packaging the cert, its private key and verification chain into a public key crypto stands #12 (PKCS#12) container
    1. cd ../client/ cat ../intermediate/intermediate_cert.pem ../root/root_cert.pem > certfile.pem openssl pkcs12 -export -inkey private/client_keypair.pem -in client_cert.pem -certfile certfile.pem -passout 'pass:SuperPa%%w0rd' -out client_cert.p12'
 
 

Revoking Certificates And Generating CRLs

 
  1. Make directory for files
    1. cd min-ca mkdir server2 cd server2
  1. Make a similar server2.cnf file
    1. [req] prompt = no distinguished_name = distinguished_name_server_cert [distinguished_name_server_cert] countryName = NO stateOrProvinceName = Oslo localityName = Oslo organizationName = TLS Experts commonName = server2.tls-experts.no
  1. Next make the keypair, the CSR and the issue the certificate
    1. mkdir private chmod 0700 private openssl genpkey -algorithm ED448 -out private/server2_keypair.pem openssl req -config server2.cnf -new -key private/server2_keypair.pem -out server2_csr.pem -out server2_csr.pem -text cd ../intermediate/ openssl ca -config intermediate.cnf -in ../server2/server2_csr.pem -out ../server2/server2_cert.pem
  1. Let’s generate a CRL when the server2 cert is not revoked yet
    1. openssl ca -config intermediate.cnf -gencrl -out intermediate_crl.pem
  1. Let’s view the generated CRL as text
    1. openssl crl -in intermediate_crl.pem -noout -text
      This is a CRL with an X509v3 CRL number value of 1. This number has been taken from the crlnumber.txt file, which is configured by the crlnumber = crlnumber.txt line in the intermediate CA config file. File will also contain the next CRL number in hex format.
  1. As we see, the CRL contains no cert that are revoked. Let’s revoke server2 cert and regenerate the CRL
    1. opessl ca -config intermediate.cnf -revoke ../server2/server2_cert.pem -crl_reason keyCompromise
  1. Regenerate CRL
    1. openssl ca -config intermediate.cnf -gencrl -out intermediate_crl.pem
  1. Let’s inspect the updated CRL
    1. openssl crl -in intermediate_crl.pem -noout -text
  1. Another useful this is to convert from Privacy-Enhanced Mail (PEM) format to the Distinguished Encoding Rules (DER) format because CRL distribution points usually server CRLs in the DER format
    1. openssl crl -in intermediate_crl.pem -out intermediate_crl.der -outform DER
 

Providing Cert Revocation Status via OCSP

 
  • To serve OCSP responses we have to sign them
  • OCSP response for cert has to be signed by its issuer cert
  • That cert must have OCSPSigning included int he X509v3 extendedKeyUsage extension
 
  1. Let’s make the directories
    1. cd mini-ca mkdir ocsp cd ocsp
  1. OCSP Configuration File
    1. [req] prompt = no distinguished_name = distinguished_name_ocsp_cert [distinguished_name_ocsp_cert] countryName = NO stateOrProvinceName = Oslo localityName = Oslo organizationName = TLS Experts commonName = OCSP Responder
  1. Let’s create the OCSP responder cert
    1. mkdir private chmod 0700 private openssl genpkey -algorithm ED448 -out private/ocsp_keypair.pem openssl req -config ocsp.cnf -new -key private/ocsp_keypair.pem -out ocsp_csr.pem -text cd ../intermediate/ openssl ca -config intermediate.cnf -in ../ocsp/ocsp_csr.pem -out ../ocsp/ocsp_cert.pem
      The generated cert can be used by an OCSP responder.
      The openssl ocsp subcommand can act as a simple OCSP server.
  1. Let’s start our test OCSP server from the ocsp dir
    1. cd ../ocsp/ openssl ocsp -port 4480 -index ../intermediate/index.txt -CA ../intermediate/intermediate_cert.pem -rkey private/ocsp_keypair.pem -rsigner ocsp_cert.pem
  1. The openssl OCSP can also act as a client. Let’s use it in client mode and check the validity of the server cert. Let’s open another terminal and changet to the mini-ca/ocsp dir
    1. openssl ocsp -url http://localhost:4480 -sha256 -CAfile ../root/root_cert.pem -issuer ../intermediate/intermediate_cert.pem -cert ../server/server_cert.pem
      As we can see the OCSP server has confirmed the validity of the server cert
  1. Let’s check the status of the server2 cert
    1. openssl ocsp -url http://localhost:4480 -sha256 -CAfile ../root/root_cert.pem -issuer ../intermediate/intermediate_cert.pem -cert ../server2/server2_cert.pem