# Building my own CA by openssl 1.0.2k # Write by Robert G. Moskowitz, HTT Consulting, LLC # 2017-08-21 # https://jamielinux.com/docs/openssl-certificate-authority/introduction.html # with ECDSA help from: # https://wiki.openssl.org/index.php/Command_Line_Elliptic_Curve_Operations # Updated per RFC 6125 to use subjectAltName rather than CN or emailAddress # ToDo - CRL OCSP # PEM password = testca # Root CA export dir=/root/ca2 export cadir=/root/ca2 mkdir $dir cd $dir mkdir certs crl csr newcerts private chmod 700 private touch index.txt touch serial sn=8 # hex 8 is minimum, 19 is maximum wget http://www.htt-consult.com/pki/openssl-root.cnf # edit defaults in [ req_distinguished_name ] # For added security while using openssl consider: # restore_mask=$(umask -p) # umask 077 # then afterwards restore umask # $restore_mask # provide DN objects. Any not wanted, leave blank as OU is below." countryName="/C=US" stateOrProvinceName="/ST=MI" localityName="/L=Oak Park" organizationName="/O=HTT Consulting" #organizationalUnitName="/OU=" organizationalUnitName= commonName="/CN=Root CA" DN=$countryName$stateOrProvinceName$localityName$organizationName$organizationalUnitName$commonName echo $DN export subjectAltName=email:postmaster@htt-consult.com openssl genpkey -aes256 -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 \ -pkeyopt ec_param_enc:named_curve -out private/ca.key.pem chmod 400 private/ca.key.pem openssl pkey -in private/ca.key.pem -text -noout # 7300 days = 20 years; Intermediate CA is 10 years. openssl req -config openssl-root.cnf -set_serial 0x$(openssl rand -hex $sn)\ -key private/ca.key.pem -subj "$DN"\ -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem # openssl x509 -in certs/ca.cert.pem -text -noout openssl x509 -purpose -in certs/ca.cert.pem -inform PEM # Intermediate (Signing) CA export dir=$cadir/intermediate mkdir $dir cd $dir mkdir certs crl csr newcerts private chmod 700 private touch index.txt sn=8 # hex 8 is minimum, 19 is maximum openssl rand -hex $sn > $dir/serial echo 1000 > $dir/crlnumber wget http://www.htt-consult.com/pki/openssl-intermediate.cnf # cd $dir commonName="/CN=Signing CA" DN=$countryName$stateOrProvinceName$localityName$organizationName$organizationalUnitName$commonName echo $DN openssl genpkey -aes256 -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 \ -pkeyopt ec_param_enc:named_curve -out $dir/private/intermediate.key.pem chmod 400 $dir/private/intermediate.key.pem openssl pkey -in $dir/private/intermediate.key.pem -text -noout openssl req -config $cadir/openssl-root.cnf -key $dir/private/intermediate.key.pem \ -subj "$DN" -new -sha256 -out $dir/csr/intermediate.csr.pem openssl req -text -noout -verify -in $dir/csr/intermediate.csr.pem openssl ca -config $cadir/openssl-root.cnf -extensions v3_intermediate_ca\ -days 3650 -notext -md sha256 \ -in $dir/csr/intermediate.csr.pem -out $dir/certs/intermediate.cert.pem chmod 444 $dir/certs/intermediate.cert.pem openssl verify -CAfile $cadir/certs/ca.cert.pem $dir/certs/intermediate.cert.pem openssl x509 -noout -text -in $dir/certs/intermediate.cert.pem cat $dir/certs/intermediate.cert.pem $cadir/certs/ca.cert.pem > $dir/certs/ca-chain.cert.pem chmod 444 $dir/certs/ca-chain.cert.pem # Server Cert # cd $dir commonName= DN=$countryName$stateOrProvinceName$localityName$organizationName$organizationalUnitName$commonName echo $DN serverfqdn=www.example.com export subjectAltName="DNS:$serverfqdn, email:postmaster@htt-consult.com" echo $subjectAltName openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 \ -pkeyopt ec_param_enc:named_curve -out $dir/private/$serverfqdn.key.pem chmod 400 $dir/private/$serverfqdn.pem openssl pkey -in $dir/private/$serverfqdn.key.pem -text -noout openssl req -config $dir/openssl-intermediate.cnf -key $dir/private/$serverfqdn.key.pem \ -subj "$DN" -new -sha256 -out $dir/csr/$serverfqdn.csr.pem openssl req -text -noout -verify -in $dir/csr/$serverfqdn.csr.pem openssl rand -hex $sn > $dir/serial # hex 8 is minimum, 19 is maximum openssl ca -config $dir/openssl-intermediate.cnf -extensions server_cert -days 375 -notext -md sha256 \ -in $dir/csr/$serverfqdn.csr.pem -out $dir/certs/$serverfqdn.cert.pem chmod 444 $dir/certs/$serverfqdn.cert.pem openssl verify -CAfile $dir/certs/ca-chain.cert.pem $dir/certs/$serverfqdn.cert.pem openssl x509 -noout -text -in $dir/certs/$serverfqdn.cert.pem # Client Cert # cd $dir commonName= UserID="/UID=rgm" DN=$countryName$stateOrProvinceName$localityName$organizationName$organizationalUnitName$commonName$UserID echo $DN clientemail=rgm@example.com export subjectAltName="email:$clientemail" echo $subjectAltName openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 \ -pkeyopt ec_param_enc:named_curve -out $dir/private/$clientemail.key.pem chmod 400 $dir/private/$clientemail.key.pem openssl pkey -in $dir/private/$clientemail.key.pem -text -noout openssl req -config $dir/openssl-intermediate.cnf -key $dir/private/$clientemail.key.pem \ -subj "$DN" -new -sha256 -out $dir/csr/$clientemail.csr.pem openssl req -text -noout -verify -in $dir/csr/$clientemail.csr.pem openssl rand -hex $sn > $dir/serial # hex 8 is minimum, 19 is maximum openssl ca -config $dir/openssl-intermediate.cnf -extensions usr_cert -days 375 -notext -md sha256 \ -in $dir/csr/$clientemail.csr.pem -out $dir/certs/$clientemail.cert.pem chmod 444 $dir/certs/$clientemail.cert.pem openssl verify -CAfile $dir/certs/ca-chain.cert.pem $dir/certs/$clientemail.cert.pem openssl x509 -noout -text -in $dir/certs/$clientemail.cert.pem