Create a private CA, I use openSSL

Introduction

In general, the certificates we use are issued by third-party authorities. If we have a new https website, we need to apply for a certificate that is recognized worldwide so that our website can be accessed without barriers. .

If in some cases, our website or system is not public, but also needs to use the TLS protocol, then we need to build a CA server by ourselves. Such a CA server is called a private CA.

Friends who are familiar with certificates may say, why not use self-signed certificates? It can also achieve the purpose of secure communication.

This is because the self-signed certificate has a limited role, it does not have the capabilities of CRL and OCSP, and it is not very convenient to use. Therefore, we need a complete set of effective CA issuance system, which is also the purpose of building a private CA.

Build root CA

Before building the root CA, we need to create several suitable directories to save the relevant information of the CA. For example, we need a directory certs to save the certificate, a key to save the key, and a CA database db.

Among them, db needs an index file, serial file and crlnumber file.

We create the corresponding files and directories with the following commands:

 mkdir certs db keys
touch db/index
openssl rand -hex 16  > db/serial
echo 1001 > db/crlnumber

After the directory is built, we also need a very important root ca configuration file. In the future, CA-related information can be created based on this configuration file.

In general, the CA configuration file is not required, and the ca configuration file is only required when we need to create a more complex CA.

The following is an example of a CA configuration file:

 [default]
name                    = root-ca
domain_suffix           = flydean.com
default_ca              = ca_config
name_opt                = utf8,esc_ctrl,multiline,lname,align

[ca_config]
database                = db/index
serial                  = db/serial
crlnumber               = db/crlnumber
certificate             = root-ca.crt
private_key             = keys/root-ca.key
RANDFILE                = keys/random
new_certs_dir           = certs
unique_subject          = no
copy_extensions         = none
default_days            = 365
default_crl_days        = 100
default_md              = sha256
policy                  = ca_policy

[ca_policy]
countryName             = match
stateOrProvinceName     = optional
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[req]
default_bits            = 4096
encrypt_key             = yes
default_md              = sha256
utf8                    = yes
string_mask             = utf8only
prompt                  = no
distinguished_name      = ca_dist
req_extensions          = ca_req_ext

[ca_dist]
countryName             = "CN"
organizationName        = "flydean"
commonName              = "Root CA"

[ca_req_ext]
basicConstraints        = critical,CA:true
keyUsage                = critical,keyCertSign,cRLSign
subjectKeyIdentifier    = hash

[sub_ca_ext]
authorityInfoAccess     = @issuer_info
authorityKeyIdentifier  = keyid:always
basicConstraints        = critical,CA:true,pathlen:0
crlDistributionPoints   = @crl_info
extendedKeyUsage        = clientAuth,serverAuth
keyUsage                = critical,keyCertSign,cRLSign
subjectKeyIdentifier    = hash

[crl_info]
URI.0                   = http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl

[issuer_info]
caIssuers;URI.0         = http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt
OCSP;URI.0              = http://ocsp.digicert.com

[ocsp_ext]
authorityKeyIdentifier  = keyid:always
basicConstraints        = critical,CA:false
extendedKeyUsage        = OCSPSigning
noCheck                 = yes
keyUsage                = critical,digitalSignature
subjectKeyIdentifier    = hash

Generate root CA

With the above configuration file and directory information, the root CA can be generated.

First we need to create the private key and the csr file of the root ca as follows:

 openssl req -new -config root-ca.conf  -out root-ca.csr  -keyout keys/root-ca.key

Next we create a self-signed certificate, here we need to use the ca_req_ext section in the configuration file:

 openssl ca -selfsign  -config root-ca.conf  -in root-ca.csr   -out root-ca.crt -extensions ca_req_ext

After running the command, we will create a self-signed certificate file in the certs folder.

In addition, the following content is also written to the index file in the db:

 V    230501041451Z        4445DE5C0285EAEF2E58757D5CB1E949    unknown    /C=CN/O=flydean/CN=Root CA

This is a text file that stores the generated certificate index. The fields in the certificate are divided by tabs.

The first field V means valid, which means valid. This field can also have several other values, such as R for revoked and E for expired.

The second field is the expiration time in the format YYMMDDHHMMSSZ.

The third field is the Revocation date, if empty it means no revoced.

The fourth field is the serial number, which is the generated CA name.

The fifth field is the location of the file, unknown means unknown.

The last field is the name of this certificate, which is used to distinguish it from other certificates.

use CRL

Once we have root-ca.conf, we can use it to create a CRL:

 openssl ca -gencrl  -config root-ca.conf  -out root-ca.crl

The generated root-ca.crl file does not have any certificate information yet.

If we want to revoke an issued CA, we can use the following command:

 openssl ca  -config root-ca.conf  -revoke certs/torevoke.pem -crl_reason unspecified

You can specify the certificate to be revoke in revoke.

It should be noted here that we need to specify crl_reason, which can be the following values:

 unspecified
keyCompromise
CACompromise
affiliationChanged
superseded
cessationOfOperation
certificateHold
removeFromCRL

Use OSCP

For OSCP, an OCSP responder is required to respond to OCSP requests. The OCSP responder and the CA itself are not the same and need to be created separately.

First, we create the OCSP responder's key and certificate request CSR:

 openssl req -new  -newkey rsa:2048  -keyout keys/root-ocsp.key -out root-ocsp.csr

Of course, after entering the necessary parameters, the key and CSR can be generated.

Next I can use the root CA and root-ocsp.csr to issue the OCSP certificate, here we need to use the ocsp_ext section in the configuration file.

 openssl ca  -config root-ca.conf  -in root-ocsp.csr  -out root-ocsp.crt -extensions ocsp_ext  -days 10

The above command generates a certificate valid for 10 days for the OCSP responder.

With the certificate, we can easily build a local OCSP responder as follows:

 openssl ocsp  -port 9000 -index db/index  -rsigner root-ocsp.crt -rkey keys/root-ocsp.key  -CA root-ca.crt  -text
Enter pass phrase for keys/root-ocsp.key:
Waiting for OCSP client connections...

So we start an OCSP server side.

Open another window and execute the following command to request OCSP:

 openssl ocsp -issuer root-ca.crt  -CAfile root-ca.crt  -cert root-ocsp.crt   -url http://127.0.0.1:9000

The following results can be obtained:

 Response verify OK
root-ocsp.crt: good
    This Update: May  1 08:09:31 2022 GMT

This shows that the OCSP responder is successfully built.

What is started here is a local service, which can be considered to be migrated to a separate server in a formal environment.

Summarize

Using the above command, we built a private CA service, and the corresponding OCSP, openssl is very powerful, basically you can use it to do anything.

For more information, please refer to http://www.flydean.com/45-openssl-private-ca/

The most popular interpretation, the most profound dry goods, the most concise tutorial, many you do not know

Welcome to pay attention to my official account: "Program those things", understand technology, understand you better!