Todd Smith Org

April 1, 2009

Howto Create your own Certificate Authority (the easy way)

Filed under: Security Technology,Unix Administration,Web Hosting — admin @ 6:54 pm

Create your own Certificate Authority in less than 10 minutes

This allows you to create a Certificate Authority otherwise known as a CA so you can sign your own certificates. This script has two requirements. A *nix machine with /bin/sh, /bin/bash or a compatible shell, and openssl from the OpenSSL project. You can start the timer now…

I’ve written a script to greatly simplify and automate the processes of both creating the Certificate Authority, and creating Certificates. The script has two basic functions:

  1. Create a Certificate Authority
  2. Create keys, certificates, and certificate signing requests, and sign them using the Certificate Authority

Directions for Use

To get this all setup in running, you just need to create a directory, create two files, and execute one of them. Edit the openssl.cnf with your favorite text editor (vim, emacs, nano, pico, ed, joe, whatever), put in your info and then run CAAdmin.sh to get started

From here open a terminal to get started

Create a working directory (copy and paste this block of code into your terminal)

mkdir Certificate_Authority_Admin
cd Certificate_Authority_Admin

Create openssl.cnf (copy and paste this block of code into your terminal)

cat << EoF > openssl.cnf
#
# OpenSSL configuration file.
# 

# Establish working directory.
dir = "CA"

[ ca ]
default_ca = CA_default 

[ CA_default ]
serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/public/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 730
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match 

[ policy_match ]
countryName = supplied
stateOrProvinceName = supplied
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req

[ req_distinguished_name ]
# Variable name   Prompt string
#----------------------   ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64

# Default values for the above, for consistency and less typing.
# Variable name   Value
#------------------------------   ------------------------------
0.organizationName_default = ToddSmith, Org
organizationalUnitName_default = Secure Services
countryName_default = US
localityName_default = Los Angeles
emailAddress_default = ca@toddsmith.org
stateOrProvinceName_default = California
commonName_default = toddsmith.org

[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always 

[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
EoF

Create the CAAdmin Script (copy and paste this block of code into your terminal)

cat << EoF > CAAdmin.sh
#!/bin/bash
cadir=CA
conf="openssl.cnf"
cwd=`pwd`

echo -n "Do you want to create a Certificate Authority? [yes or no] : " && read answer
if [ "X$answer" == "Xyes" ] ; then
        mkdir -p CA
        cd CA
        mkdir public crl newcerts private
        echo 01 > serial
        cp /dev/null index.txt
        if [ ! -f ../openssl.cnf ] ; then
                echo "Must setup an openssl.cnf"
                exit 1
        fi
        openssl req -new -x509 -keyout private/cakey.pem -out public/cacert.pem -days 365 -config ../openssl.cnf
        cd $cwd
fi

echo -n "Do you want to create a certificate for an SSL enabled server? [yes or no] : " && read answer
[ $answer == "yes" ] || exit 1

echo -n "What is the name of this cert / key? (certfilename) : " && read certfile
if [ $certfile != "" ] ; then
        unset answer
        openssl req -new -nodes -out req.pem -config $conf && \
        mv key.pem "${certfile}.key.pem" && \
        mv req.pem "${certfile}.req.pem" && \
        openssl req -in "${certfile}.req.pem" -text -verify -noout && \
        echo -n "Does information look correct? [yes or no] : " && read answer
        if [ $answer == "yes" ] ; then
                unset answer
                openssl ca -out "${certfile}.crt.pem" -config "$conf" -infiles "${certfile}.req.pem"
        fi
        echo -n "Do you want to strip the certificate? [yes or no] : " && read answer
        if [ $answer == "yes" ] ; then
                unset answer
                mv "${certfile}.crt.pem" "${certfile}.crt.tmp"
                openssl x509 -in "${certfile}.crt.tmp" -out "${certfile}.crt.pem" && \
                export key_stripped=1 && \
                rm "${certfile}.crt.tmp"
        fi
        if [ $key_stripped == 1 ] ; then
                echo -n "Do you want to create a combined cert/key file? [yes or no] : " && read answer
                if [ $answer == "yes" ] ; then
                        unset answer;
                        cat ${certfile}.crt.pem ${certfile}.key.pem > ${certfile}.crtkey.pem
                fi
        fi
fi
EoF

Edit the openssl.cnf with your favorite editor to customize it for you.

Now I’m gonna run you through the script one time and you can see how simple it is.

tsmith@tejinashi:~/Certificate_Authority_Admin$ ls
CAAdmin.sh      openssl.cnf
tsmith@tejinashi:~/Certificate_Authority_Admin$ sh CAAdmin.sh
Do you want to create a Certificate Authority? [yes or no] : yes
Generating a 1024 bit RSA private key
....................++++++
.++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Organization Name (company) [ToddSmith, Org]:
Organizational Unit Name (department, division) [Secure Services]:
Email Address [ca@toddsmith.org]:
Locality Name (city, district) [Los Angeles]:
State or Province Name (full name) [California]:
Country Name (2 letter code) [US]:
Common Name (hostname, IP, or your name) [toddsmith.org]:
Do you want to create a certificate for an SSL enabled server? [yes or no] : yes
What is the name of this cert / key? [certfile] : mail.toddsmith.org
Generating a 1024 bit RSA private key
..............................++++++
............................................++++++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Organization Name (company) [ToddSmith, Org]:
Organizational Unit Name (department, division) [Secure Services]:
Email Address [ca@toddsmith.org]:
Locality Name (city, district) [Los Angeles]:
State or Province Name (full name) [California]:
Country Name (2 letter code) [US]:
Common Name (hostname, IP, or your name) [toddsmith.org]:mail.toddsmith.org
verify OK
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: O=ToddSmith, Org, OU=Secure Services/emailAddress=ca@toddsmith.org, L=Los Angeles, ST=California, C=US, CN=mail.toddsmith.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:d1:be:57:f7:e1:35:5b:01:fb:0d:20:06:23:dc:
                    44:f7:89:0e:f7:f6:71:5f:17:91:58:01:99:2f:75:
                    00:0d:e1:d7:0b:35:c1:90:e8:f9:56:a5:82:7b:a1:
                    97:79:b1:5b:7e:70:fd:cd:e0:95:5d:d1:f4:38:4d:
                    3f:00:fe:8a:a0:9a:66:2a:3c:45:27:e0:b1:98:3d:
                    40:2b:03:3c:5e:95:e1:48:79:a9:03:65:78:19:9b:
                    e9:39:06:6f:d6:ad:6f:12:55:dd:18:45:76:50:fd:
                    40:9a:60:7e:53:fb:67:0d:1b:1e:7f:e6:70:0d:ab:
                    2b:4c:45:5e:0e:df:c9:3f:5d
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Key Identifier:
                56:61:49:B0:F8:DA:58:9E:4A:14:EF:3B:61:D4:74:AF:B6:AF:3A:ED
    Signature Algorithm: md5WithRSAEncryption
        b5:8d:6f:16:87:1f:cb:78:16:03:9f:95:cf:4b:8d:b8:81:c0:
        a9:e4:a0:de:c1:72:b0:3c:c8:2f:26:5e:ff:af:24:de:68:76:
        e9:d0:f3:36:6d:d6:ea:40:27:19:33:91:ec:89:42:7b:ac:18:
        82:59:bf:c3:22:83:77:79:19:a1:05:92:6f:43:be:17:0d:c0:
        e8:f5:f6:a0:fe:1b:05:ab:fd:56:b8:3a:3b:81:d0:e3:c4:60:
        14:db:2f:de:27:a7:da:bc:72:10:e7:de:77:16:18:5e:30:81:
        d2:c6:1e:bf:96:f6:23:42:c2:0a:2e:3e:15:ff:bf:82:be:9d:
        0d:16
Does information look correct? [yes or no] : yes
Using configuration from openssl.cnf
Enter pass phrase for CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
organizationName      :P RINTABLE:'ToddSmith, Org'
organizationalUnitName:PRINTABLE:'Secure Services'
localityName          :P RINTABLE:'Los Angeles'
stateOrProvinceName   :P RINTABLE:'California'
countryName           :P RINTABLE:'US'
commonName            :P RINTABLE:'mail.toddsmith.org'
Certificate is to be certified until Apr  2 01:42:45 2011 GMT (730 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Do you want to strip the certificate? [yes or no] : yes
Do you want to create a combined cert/key file? [yes or no] : yes
tsmith@tejinashi:~/Certificate_Authority_Admin$ ls -1
CA
CAAdmin.sh
mail.toddsmith.org.crt.pem
mail.toddsmith.org.crtkey.pem
mail.toddsmith.org.key.pem
mail.toddsmith.org.req.pem
openssl.cnf
tsmith@tejinashi:~/Certificate_Authority_Admin$

There you have it. If you want to create another key, run it again. From this point forward you will probably want to answer “no” when the script asks if you want to create a new Certificate Authority. I have not tested it.

I hope that you found this useful.

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment

Powered by WordPress