Table of Contents
In this article, we will see how to create a Certificate Authority, and we will sign a server certificate with the created CA. This article is one of the article in the openssl tutorial series and is referred in many articles of the series.
In this article, we will be discussing 2 ways for creation of CA and signing a cert with this generated CA. The steps are almost same for these 2 approaches, but with a small difference in creating the private key and using this key for signing the certificate. When it comes to data and network, more secure method is always prefered.
- CA creation without passphrase
- CA creation with passphrase
Certificate Authority creation without passphrase
Create CA private key
We need to create a private key for our CA. we will be using genrsa command for doing the same.
[root@3-vcp without_password]# openssl genrsa -out myCA_first.key 2048 Generating RSA private key, 2048 bit long modulus ..+++ ............................................+++ e is 65537 (0x10001)
Create Root Certificate Authority Certificate
We will be creating Root CA with the openssl command, and we will using the CA private key. The argument days will determine how long this certificate need to be valid
[root@3-vcp without_password]# openssl req -x509 -new -nodes -key myCA_first.key -sha256 -days 1825 -out myCA_firstCert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:Utah Locality Name (eg, city) [Default City]:Salt_Lake_City Organization Name (eg, company) [Default Company Ltd]:Utah-ca-auth Organizational Unit Name (eg, section) []:Utah-ca-section Common Name (eg, your name or your server's hostname) []:Utah-Linux-Data-Hub Email Address []:[email protected] [root@3-vcp without_password]#
Verify the CA
Verify the CA certificate content. In the below command snippet, we can see the CA details, and in the Basic constraints section, we can see "CA: TRUE", which shows, the certificate is a CA
[root@3-vcp without_password]# openssl x509 -noout -text -in myCA_firstCert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 93:1e:e1:55:6d:83:20:41 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Utah, L=Salt_Lake_City, O=Utah-ca-auth, OU=Utah-ca-section, CN=Utah-Linux-Data-Hub/[email protected] Validity Not Before: Aug 1 10:23:58 2022 GMT Not After : Jul 31 10:23:58 2027 GMT Subject: C=US, ST=Utah, L=Salt_Lake_City, O=Utah-ca-auth, OU=Utah-ca-section, CN=Utah-Linux-Data-Hub/[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) . . X509v3 extensions: X509v3 Subject Key Identifier: 2D:28:E2:7D:59:7A:5F:B3:40:E2:04:E2:53:F2:5F:7F:3F:59:78:32 X509v3 Authority Key Identifier: keyid:2D:28:E2:7D:59:7A:5F:B3:40:E2:04:E2:53:F2:5F:7F:3F:59:78:32 X509v3 Basic Constraints: CA:TRUE
Signing using the Generated CA.
To simulate the signing , we will create a simple CSR. And we will use the generated CA to sign the CSR
Create Private key for CSR
Generate a private key for CSR
openssl genrsa -out CSRPrivate.key 2048
Create Certificate Signing Request (CSR)
With the generated private key from the above step, we will creating a CSR
[root@3-vcp without_password]# openssl req -new -key CSRPrivate.key -out CSRRequest.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) []:Karnataka Locality Name (eg, city) [Default City]:Banglore Organization Name (eg, company) [Default Company Ltd]:Linux-Server Organizational Unit Name (eg, section) []:Mondelsa Common Name (eg, your name or your server's hostname) []:3-vcpudo Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@3-vcp without_password]#
Signing the CSR with CA cert
Now that the CSR is available, we will be using the CA to sign this CSR to create the signed certificate. Here we can see the days argument, determine the expiry time of the certificate
[root@3-vcp without_password]# openssl x509 -req -in CSRRequest.csr -CA myCA_firstCert.pem -CAkey myCA_first.key -CAcreateserial -out SignedCertificate.crt -days 365 -sha256 Signature ok subject=/C=IN/ST=Karnataka/L=Banglore/O=Linux-Server/OU=Mondelsa/CN=3-vcpudo/[email protected] Getting CA Private Key
Verify the Content of the Signed Certificate
While verifying the Certificate ,we can see that the CA details are present in the issuer section. It can also be seen that the certificate validity is 365 days
[root@3-vcp without_password]# openssl x509 -noout -text -in SignedCertificate.crt Certificate: Data: Version: 1 (0x0) Serial Number: 91:86:cc:b2:4d:09:16:99 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Utah, L=Salt_Lake_City, O=Utah-ca-auth, OU=Utah-ca-section, CN=Utah-Linux-Data-Hub/[email protected] Validity Not Before: Aug 1 15:13:51 2022 GMT Not After : Aug 1 15:13:51 2023 GMT Subject: C=IN, ST=Karnataka, L=Banglore, O=Linux-Server, OU=Mondelsa, CN=3-vcpudo/[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit)
Certificate Authority creation with passphrase
In this section, we will see more secure form of CA creation, as we will be asking for a pass phrase to encrypt the key
Create CA private key
Here we will be using -des3 option which will prompt us, for entering password. This password will be needed, while creating the CA and while signing a certificate with the generated CA
[root@3-vcp with_password]# openssl genrsa -des3 -out mySecondCA.key 2048 Generating RSA private key, 2048 bit long modulus ............................................................................................................................+++ ...........................................................................................................+++ e is 65537 (0x10001) Enter pass phrase for mySecondCA.key: Verifying - Enter pass phrase for mySecondCA.key:
Create Root Certificate Authority Certificate
CA certificate can be created by below command. In the code snippet, it can be seen that , passphrase for the private key prompted
[root@3-vcp with_password]# openssl req -x509 -new -nodes -key mySecondCA.key -sha256 -days 1825 -out myCA_SecondCert.pem Enter pass phrase for mySecondCA.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:Delaware Locality Name (eg, city) [Default City]:Dover Organization Name (eg, company) [Default Company Ltd]:Delware-ca Organizational Unit Name (eg, section) []:Del-ca-session Common Name (eg, your name or your server's hostname) []:Dellas_ca Email Address []:[email protected] [root@3-vcp with_password]#
Verify the CA
We can verify the generated CA with the below command
[root@3-vcp with_password]# openssl x509 -noout -text -in myCA_SecondCert.pem Certificate: Data: Version: 3 (0x2) Serial Number: ca:52:04:92:3b:d3:34:a8 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Delaware, L=Dover, O=Delware-ca, OU=Del-ca-session, CN=Dellas_ca/[email protected] Validity Not Before: Aug 1 16:44:55 2022 GMT Not After : Jul 31 16:44:55 2027 GMT Subject: C=US, ST=Delaware, L=Dover, O=Delware-ca, OU=Del-ca-session, CN=Dellas_ca/[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) .. X509v3 extensions: X509v3 Subject Key Identifier: 2D:28:E2:7D:59:7A:5F:B3:40:E2:04:E2:53:F2:5F:7F:3F:59:78:32 X509v3 Authority Key Identifier: keyid:2D:28:E2:7D:59:7A:5F:B3:40:E2:04:E2:53:F2:5F:7F:3F:59:78:32 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption
Signing using the Generated CA.
We will be reusing the same CSR, which we have generated. While signing the CSR with the generated CA also, the password prompt for the cakey came. This give an add on protection so that, even if somebody gets hold of ca cert and key, they will not be able to sign any certificates
[root@3-vcp with_password]# openssl x509 -req -in CSRRequest.csr -CA myCA_SecondCert.pem -CAkey mySecondCA.key -CAcreateserial -out SignedCertificate_withsecond_ca.crt -days 365 -sha256 Signature ok subject=/C=IN/ST=Karnataka/L=Banglore/O=Linux-Server/OU=Mondelsa/CN=3-vcpudo/[email protected] Getting CA Private Key Enter pass phrase for mySecondCA.key: [root@3-vcp with_password]#
Verify the signed Cert
Signed certificate clearly shows the CA details in the Issuer section
[root@3-vcp with_password]# openssl x509 -noout -text -in SignedCertificate_withsecond_ca.crt Certificate: Data: Version: 1 (0x0) Serial Number: b6:4b:e4:0e:f2:e0:8a:db Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Delaware, L=Dover, O=Delware-ca, OU=Del-ca-session, CN=Dellas_ca/[email protected] Validity Not Before: Aug 1 16:50:58 2022 GMT Not After : Aug 1 16:50:58 2023 GMT Subject: C=IN, ST=Karnataka, L=Banglore, O=Linux-Server, OU=Mondelsa, CN=3-vcpudo/[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: