Differences

This shows you the differences between two versions of the page.

--- software:openssl:createca [2025/10/19 03:10] – created rodolico
+++ software:openssl:createca [2025/10/20 00:01] (current) – rodolico
@@ Line 20: / Line 20: @@
 <code bash>
-# create a little directory tree.
-# Not required, but allows the certs to be kept organized
-mkdir -p /opt/localCert/newcerts
-mkdir -p /opt/localCert/private
-# this will store the indicies. Again, not required
-touch /opt/localCert/DailyDataCAindex
-cd /opt/localCert
 # create a random rsa key pair of 2048 bits and ask for encryption passphrase (min 8 char)
 openssl genpkey -algorithm RSA --outform PEM --des3 --out DailyDataCA.key --pkeyopt rsa_keygen_bits:2048
 # Create a CA certificate from it. You'll need to answer a bunch of questions here
+# see "create a config file" to keep from having to do that.
 openssl req -x509 -new -key DailyDataCA.key -sha256 -days 3650 -out DailyDataCA.crt
 </code>
@@ Line 60: / Line 54: @@
 **Note**: The old way of generating keys was to use the command <code bash>openssl genrsa -des3 -out DailyDataCA.key 2048</code> but that has been supercseded by genpkey.
+==== Create a configuration file ====
+By creating a configuration file, you can bypass a lot of redundant questions and answers when generating certificates. I name it openssl.cnf and place it in the directory with my CA files. The following is not correct at this time (stil working on the documentation).
+<code conf openssl.cnf>
+RANDFILE = ./.rnd # Used as a seed for random number generation for key files
+# this section is for requests
+[ req ]
+default_bits           = 2048 # make all private keys 2048 bits (default)
+default_md             = sha256 # use sha256 (default)
+prompt                 = no  # do not ask any questions you don't have to
+# override with -reqexts command line switch
+req_extensions         = v3_req # go look at v3_req section for the extensions def
+man x509v3_config
+# override with the -extensions command line switch
+distinguished_name     = req_distinguished_name # section where DN information stored
+# section holds Distinguished Name fields so we don't have to enter them all the time
+# Instead of abbreviations used below, may also use
+# commonName, countryName, localityName, organizationName, organizationalUnitName, stateOrProvinceName
+[ req_distinguished_name ]
+C                      = GB
+ST                     = Test State or Province
+L                      = Test Locality
+O                      = Organization Name
+OU                     = Organizational Unit Name
+CN                     = Common Name
+emailAddress           = test@email.address
+# used when generating certificate of authorities (ca)
+[ v3_ca ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = critical, CA:true
+</code>
 ==== Create the CA Cert ====
@@ Line 72: / Line 104: @@
    -sha256 \
    -days 3650 \
+   -config openssl.cnf \
+   -reqexts v3_ca \
    -out DailyDataCA.pem
 </code>
-This will read the key file (.key) and generate a certificate from it.
+This will read the key file (.key) and generate a certificate from it. Parameters are:
+  * //req// - We are doing a certificate request
+  * //-x509// - we want an X509 certificate created. This is a self-signed certificate (instead of a certificate request). Required for generating a CA
+  * //-new// - Create a new certificate. This will require you to answer questions to generate a Distinguished Name (DN) if you did not create a config file with that information.
+  * //-key// - the name of the keyfile created earlier
+  * //-sha256// - The digest used to create the certificate. This is the default for RSA and only here for documentation
+  * //-days// - The number of days the certificate is valid. Before this time is up, a new CA must be generated, deployed to all workstations and new certs signed by the new key deployed to all services. Default is 30 days, but we set it to 10 years.
+  * //-config// - Name of the configuration file to use (if you created one).
+  * //-reqexts// - use v3_ca section of config file also (for generating CA)
+  * //-out// - name of the output file.
+==== View Cert ====
-Country Name (2 letter code) [AU]:US
+You can view the certificate you created using the -text. With this, you can see the issuer (itself, self signed), the Signature Algorithm, the DN (Distinguished Name, the line starting with Subject:) and information about the public key and signature.
-State or Province Name (full name) [Some-State]:Texas
-Locality Name (eg, city) []:Dallas
-Organization Name (eg, company) [Internet Widgits Pty Ltd]:Daily Data
-Organizational Unit Name (eg, section) []:Home Office
-Common Name (e.g. server FQDN or YOUR name) []:Rod
-Email Address []:joe@dailydata.net
+<code bash>
+openssl x509 -in ca.pem -text -noout
+</code>
+==== Modify openssl.cnf ====
+<code conf>
+[ ca ]
+default_ca = CA_default
+[ CA_default ]
+dir               = ./myCA              # Location of the CA certificate and private key
+database          = $dir/myCAindex      # Database index file
+new_certs_dir     = $dir/newcerts       # Directory where new certs are stored
+certificate       = $dir/ca.crt         # The CA certificate
+private_key       = $dir/ca.key         # The CA private key
+default_md        = sha256              # Default digest method
+preserve          = no                  # Keep existing certificates (yes/no)
+policy            = policy_any          # Default policy for issuing certificates
+[ policy_any ]
+countryName             = optional
+stateOrProvinceName     = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = required
+emailAddress            = optional
+</code>