Creating a Personal Root Certificate Authority

types of files

file name Description
key, cakey.pem PRIVATE key used for decryption of the RSA handshake
crt, cacert.pem public key. sent out and installed in browser/keychain
crl, crl.pem cert revocation list. used to revoke a comprimised key.
csr request to sign a cert by the CA root key

Setting up the root certificate authority

This section should only need to be done once for your root CA

create directories to store the CA files

mkdir certs crl newcerts private
chmod 700 private/
touch index.txt
echo 1000 > serial
echo 1000 > crlnumber

now generate the new rsa PRIVATE key

openssl genrsa -aes256 -out private/ca.key.pem 4096
chmod 400 private/ca.key.pem

make the CA cert

openssl req -new -x509 -days 3650 -config openssl.cnf -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.cert.pem
chmod 444 certs/ca.cert.pem

Generating a new signed cert

openssl genrsa -out private/www.redroom.me.ampache.key.pem 4096
chmod 400 private/www.redroom.me.ampache.key.pem
openssl req -sha256 -config openssl.cnf -new -key private/www.redroom.me.ampache.key.pem -out certs/www.redroom.me.ampache.csr.pem
openssl  ca -keyfile private/ca.key.pem -config openssl.cnf -cert certs/ca.cert.pem -extensions usr_cert -notext -md sha256 -in certs/www.redroom.me.ampache.csr.pem -out certs/www.redroom.me.ampache.cert.pem

now copy the key and cert, along with the root CA cert, to the server that will use the new cert.

ca.cert.pem
www.redroom.me.ampache.key.pem
www.redroom.me.ampache.cert.pem

any client (workstation) that wants to use the CA will need to install the root cert (ca.cert.pem) into the keychain. This will change depending on what system you are using. Directions to follow...

TODO

get the default names to work correctly figure out if the req section is used at all or not figure out the revocation steps

create the CA config file conf/openssl.cnf

#
# OpenSSL example configuration file.
#

# stops the following lines choking if HOME isn't defined.
HOME   = .
RANDFILE  = $ENV::HOME/.rnd

####################################################################
[ ca ]
default_ca = CA_default  # The default ca section

####################################################################
[ CA_default ]

dir  = .
certs  = $dir/certs             # Where the issued certs are kept
crl_dir  = $dir/crl             # Where the issued crl are kept
database = $dir/index.txt       # database index file.
new_certs_dir = $dir/newcerts   # default place for new certs.

certificate = $dir/ca.cert.pem  # The CA certificate
serial  = $dir/serial           # The current serial number
crlnumber = $dir/crlnumber      # the current crl number
crl  = $dir/crl.pem             # The current CRL
private_key = $dir/private/ca.key.pem # The private key
RANDFILE = $dir/private/.rand   # private random number file

x509_extensions = usr_cert      # The extentions to add to the cert

name_opt  = ca_default          # Subject Name options
cert_opt  = ca_default          # Certificate field options

default_days = 365              # how long to certify for
default_crl_days= 30            # how long before next CRL
default_md = sha256             # use public key default MD
preserve = no                   # keep passed DN ordering
policy = policy_match           # default matching for signing

####################################################################
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

####################################################################
[ req ]
default_bits    = 4096
default_md    = sha256
#default_keyfile   = privkey.pem
distinguished_name  = req_distinguished_name
#attributes   = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert

####################################################################
[ req_distinguished_name ]
### Must match CA cert
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Ohio
0.organizationName = Organization Name (eg, company)
0.organizationName_default = My Site

### Optional to match CA cert
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_default = mysite.com

### Fully optional names
localityName = Locality Name (eg, city)
organizationalUnitName = Organizational Unit Name (eg, section)
emailAddress = Email Address

# SET-ex3 = SET extension number 3

####################################################################
#[ req_attributes ]
#challengePassword  = A challenge password
#challengePassword_min  = 4
#challengePassword_max  = 20

####################################################################
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
basicConstraints=CA:FALSE

# This will be displayed in Netscape's comment listbox.
nsComment   = "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

####################################################################
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
distinguished_name = req_distinguished_name

####################################################################
[ v3_ca ]
# Extensions for a typical CA
basicConstraints = CA:true
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer

####################################################################
[ crl_ext ]
# CRL extensions.
authorityKeyIdentifier=keyid:always
crl_extensions = crl_ext