Error while loading crl number

Вопрос по Openssl

Using configuration from /usr/lib/ssl/openssl.cnf

Error opening CA private key ./demoCA/private/cakey.pem

понял начал поправил openssl.cnf

openssl req -newkey rsa:1024 -keyout moonkey.pem -out mooncert.pem

openssl ca -in moonkey.pem -days 730 -out mooncert.pem -notext

У тебя csr и сертификат имеют одно и то же имя.

сапсиб за подсказку разобрался подписал , собственно вопрос

Что такое 01. pem ?

плюс создание CRL

По CRL у тебя же в конфиге написано:

01.pem — это и есть твой сертификат 🙂 ($serial)

мозг уже отключился , что конкретно там не так ?

У тебя есть переменная crlnumber, значение которой выставлено в $dir, т.е. в имя каталога (1). Если ты ее закомментируешь, у тебя будет создан CRL первой версии.

But, scalability is an issue, since v1 crl could glow very big

Limitation of extending v1 crl

crl substitution attack could be done with v1 crl

v2 crl solves these problem by introducing the notion of extensions (compared with v3 x509 certificate)

A critical extension should be processed, and understood by related parties.

Non-critical extensions could be ignored

Источник

JBossDeveloper

I use 4.4.1-fuse-06-03 , with cxf https via etcpax.web.

I have problem in generating server https cert

I create ca certificate as written here:

and then create server cert as written here:

but firefox see this certificate as self signed cert, issuead by localhost for localhost,

it cannot see it as signed by my own ca,

I think it is not problem of smx or cxf but of openssl or keytool,

I suppose there could be some change in openssl and keytool since this tutorial was written and now they might work different,

could somebody try to use this tutorial exactly as written in above links and check if it works ?

if it work, please include Your commands as script, here is what I have done:

(when there are many similar wersions I did all of them):

echo 01 > serial

click Yes, and close Notepad.

Create a self-signed CA certificate and private key

Create a new self-signed CA certificate and private key with the following command:

openssl req -x509 -new -config X509CAopenssl.cfg -days 365 -out X509CAcanew_ca.pem -keyout X509CAcanew_ca_pk.pem

Generate a certificate and private key pair

Open a command prompt and change directory to the directory where you store your keystore files, KeystoreDir. Enter the following command:

keytool -genkeypair -dname «CN=localhost, OU=testOU, O=testO, ST=Warsaw, C=PL» -validity 365 -v -alias serverAlias -keypass serverPassword -keystore serverKeystore.jks -storepass serverPassword

keytool -importcert -alias cacertAlias -file X509CAcanew_ca.pem -trustcacerts -keystore serverKeystore.jks -storepass serverPassword

keytool -importcert -file X509CAcanew_ca.pem -trustcacerts -keystore serverKeystore.jks -storepass serverPassword

Create a certificate signing request

Create a new certificate signing request (CSR) for the serverKeystore.jks certificate, as follows:

keytool -certreq -alias serverAlias -file server_csr.pem -keypass serverPassword -keystore serverKeystore.jks -storepass serverPassword

Sign the CSR using your CA, as follows:

openssl ca -config X509CAopenssl.cfg -days 365 -in server_csr.pem -out server.pem

Convert to PEM format

Convert the signed certificate, server.pem, to PEM only format, as follows:

openssl x509 -in server.pem -out server.pem -outform PEM

Concatenate the files

Concatenate the CA certificate file and server.pem certificate file, as follows:

copy server.pem + X509CAcanew_ca.pem server.chain

Update keystore with the full certificate chain

Update the keystore, serverKeystore.jks, by importing the full certificate chain for the certificate, as follows:

keytool -importcert -file server.chain -alias serverAlias -keypass serverPassword -keystore serverKeystore.jks -storepass serverPassword

keytool -importcert -file server.chain -keypass serverPassword -keystore serverKeystore.jks -storepass serverPassword

keytool -importcert -file server.chain -keypass serverPassword -keystore serverKeystore2.jks -storepass serverPassword

keytool -importcert -file server.chain -alias serverAlias -keypass serverPassword -keystore serverKeystoreAlias.jks -storepass serverPassword

copy serverKeystore.jks C:optapache-servicemix-4.4.1-fuse-06-03etc

thx and regards

1. Re: generating https certificates

Just a quick notes, there’s a gencerts.sh shell script in Fuse Services Framework kit samples/wsdl_first_https/bin which can generate all necessary certs automatically for you, you may need take a look.

2. Re: generating https certificates

here are logs of executing 3 commands

gencerts.sh (in cygwin under windows)

c:optapache-cxf-2.4.3-fuse-01-02sampleswsdl_first_https>mvn -Pserver

c:optapache-cxf-2.4.3-fuse-01-02sampleswsdl_first_https>mvn -Psecure.client

$ ../bin/gencerts.sh

Using configuration from C:optOpenSSL-Win64binopenssl.cfg

Generating a 1024 bit RSA private key

writing new private key to ‘caprivkey.pem’

Using configuration from C:optOpenSSL-Win64binopenssl.cfg

Generating a 1024 bit RSA private key

writing new private key to ‘raprivkey.pem’

Using configuration from C:optOpenSSL-Win64binopenssl.cfg

Check that the request matches the signature

Serial Number: 4933 (0x1345)

Not Before: Jul 23 07:09:01 2012 GMT

Not After : Jul 18 07:09:01 2032 GMT

organizationalUnitName = NOT FOR PRODUCTION

X509v3 Basic Constraints:

Certificate is to be certified until Jul 18 07:09:01 2032 GMT (7300 days)

Write out database with 1 new entries

Data Base Updated

Using configuration from C:optOpenSSL-Win64binopenssl.cfg

Check that the request matches the signature

The stateOrProvinceName field needed to be the same in the

CA certificate (NY) and the request (NY)

Using configuration from C:optOpenSSL-Win64binopenssl.cfg

Check that the request matches the signature

The stateOrProvinceName field needed to be the same in the

CA certificate (NY) and the request (NY)

unable to load certificate

2674688:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE

unable to load certificate

2674688:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE

keytool error: java.lang.Exception: Certificate reply does not contain public key for

Using configuration from C:optOpenSSL-Win64binopenssl.cfg

V 320718070901Z 1345 unknown /C=US/ST=NY/O=Apache/OU=NOT FOR PRODUCTION/CN=TheRA

1 entries loaded from the database

Revoking Certificate 1345.

Data Base Updated

Using configuration from C:optOpenSSL-Win64binopenssl.cfg

R 320718070901Z 120723070903Z,keyCompromise 1345 unknown /C=US/ST=NY/O=Apache/OU=NOT FOR PRODUCTION/CN=TheRA

1 entries loaded from the database

./demoCA/crlnumber: No such file or directory

error while loading CRL number

2674688:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen(‘./demoCA/crlnumber’,’rb’)

2674688:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:

Certificate was added to keystore

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 1 entry

Alias name: mykey

Creation date: 2012-07-23

Entry type: PrivateKeyEntry

Certificate chain length: 1

Owner: CN=Wibble, OU=NOT FOR PRODUCTION, O=Apache, ST=NY, C=US

Issuer: CN=Wibble, OU=NOT FOR PRODUCTION, O=Apache, ST=NY, C=US

Serial number: 500cf88e

Valid from: Mon Jul 23 09:09:02 CEST 2012 until: Sun Oct 21 09:09:02 CEST 2012

Signature algorithm name: SHA1withDSA

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 1 entry

Alias name: mykey

Creation date: 2012-07-23

Entry type: PrivateKeyEntry

Certificate chain length: 1

Owner: CN=Cherry, OU=NOT FOR PRODUCTION, O=Apache, ST=NY, C=US

Issuer: CN=Cherry, OU=NOT FOR PRODUCTION, O=Apache, ST=NY, C=US

Serial number: 500cf88e

Valid from: Mon Jul 23 09:09:02 CEST 2012 until: Sun Oct 21 09:09:02 CEST 2012

Signature algorithm name: SHA1withDSA

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 1 entry

Alias name: theca

Creation date: 2012-07-23

Entry type: trustedCertEntry

Owner: C=US, ST=NY, O=Apache, OU=NOT FOR PRODUCTION, CN=TheCA

Issuer: C=US, ST=NY, O=Apache, OU=NOT FOR PRODUCTION, CN=TheCA

Serial number: 4d2

Valid from: Mon Jul 23 09:09:01 CEST 2012 until: Sun Jul 18 09:09:01 CEST 2032

Signature algorithm name: SHA1withRSA

#1: ObjectId: 2.5.29.14 Criticality=false

0000: 66 34 E2 81 F5 61 EF D6 36 79 52 5F 7E 01 7B 7A f4. a..6yR_. z

0010: F3 26 D3 2D .&.-

#2: ObjectId: 2.5.29.19 Criticality=false

#3: ObjectId: 2.5.29.35 Criticality=false

0000: 66 34 E2 81 F5 61 EF D6 36 79 52 5F 7E 01 7B 7A f4. a..6yR_. z

0010: F3 26 D3 2D .&.-

unable to load CRL

2674688:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: X509 CRL

server log

Scanning for projects.

Building WSDL first demo using HTTPS 2.4.3-fuse-01-02

— cxf-codegen-plugin:2.4.3-fuse-01-02:wsdl2java (generate-sources) @ wsdl_first_https —

Using proxy server configured in maven.

— maven-antrun-plugin:1.4:run (copyxmlfiles) @ wsdl_first_https —

— maven-resources-plugin:2.5:resources (default-resources) @ wsdl_first_https —

Using ‘UTF-8’ encoding to copy filtered resources.

skip non existing resourceDirectory c:optapache-cxf-2.4.3-fuse-01-02sampleswsdl_first_httpssrcmainresources

— maven-compiler-plugin:2.3.1:compile (default-compile) @ wsdl_first_https —

Nothing to compile — all classes are up to date

— maven-resources-plugin:2.5:testResources (default-testResources) @ wsdl_first_https —

Using ‘UTF-8’ encoding to copy filtered resources.

skip non existing resourceDirectory c:optapache-cxf-2.4.3-fuse-01-02sampleswsdl_first_httpssrctestresources

— maven-compiler-plugin:2.3.1:testCompile (default-testCompile) @ wsdl_first_https —

No sources to compile

— maven-surefire-plugin:2.10:test (default-test) @ wsdl_first_https —

No tests to run.

Surefire report directory: c:optapache-cxf-2.4.3-fuse-01-02sampleswsdl_first_httpstargetsurefire-reports

Tests run: 0, Failures: 0, Errors: 0, Skipped: 0

— exec-maven-plugin:1.2:exec (default) @ wsdl_first_https —

The server’s security configuration will be taken from server.xml using the bean name : » GreeterImplPort.http-destination».

2012-07-23 09:18:45 org.springframework.context.support.AbstractApplicationContext prepareRefresh

INFO: Refreshing org.apache.cxf.bus.spring.BusApplicationContext@80d3d6f: startup date ; root of context hierarchy

2012-07-23 09:18:46 org.apache.cxf.bus.spring.BusApplicationContext getConfigResources

INFO: Loaded configuration file file:/C:/opt/apache-cxf-2.4.3-fuse-01-02/samples/wsdl_first_https/target/classes/demo/hw_https/server/CherryServer.xml.

2012-07-23 09:18:46 org.springframework.beans.factory.xml.XmlBeanDefinitionReader loadBeanDefinitions

INFO: Loading XML bean definitions from class path resource

2012-07-23 09:18:46 org.springframework.beans.factory.xml.XmlBeanDefinitionReader loadBeanDefinitions

2012-07-23 09:18:47 org.springframework.beans.factory.support.DefaultListableBeanFactory preInstantiateSingletons

INFO: Pre-instantiating singletons in org.springframework.beans.factory.support.DefaultListableBeanFactory@63a5ec6c: defining beans [cxf,org.apache.cxf.bus.spring.BusWiringBeanFactoryPo

rg.apache.cxf.transport.http_jetty.spring.JettySpringTypesFactory,org.apache.cxf.transport.http_jetty.JettyHTTPServerEngineFactory]; root of factory hierarchy

2012-07-23 09:18:47 org.apache.cxf.service.factory.ReflectionServiceFactoryBean buildServiceFromWSDL

INFO: Creating Service SOAPService from WSDL: file:./wsdl/hello_world.wsdl

2012-07-23 09:18:48 org.apache.cxf.frontend.AbstractWSDLBasedEndpointFactory createEndpoint

WARNING: Could not find endpoint/port for GreeterPort in wsdl. Using SoapPort.

2012-07-23 09:18:48 org.apache.cxf.endpoint.ServerImpl initDestination

INFO: Setting the server’s publish address to be https://localhost:9001/SoapContext/SoapPort

2012-07-23 09:18:48 org.eclipse.jetty.util.log.Slf4jLog info

2012-07-23 09:18:48 org.eclipse.jetty.util.log.Slf4jLog info

INFO: Started CXFJettySslSocketConnector@0.0.0.0:9001 STARTING

2012-07-23 09:18:48 org.eclipse.jetty.util.log.Slf4jLog info

INFO: started o.e.j.s.h.ContextHandler

Server ready.

2012-07-23 09:20:06 org.eclipse.jetty.util.log.Slf4jLog warn

WARNING: 127.0.0.1:60379 javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

client log

Scanning for projects.

Building WSDL first demo using HTTPS 2.4.3-fuse-01-02

— cxf-codegen-plugin:2.4.3-fuse-01-02:wsdl2java (generate-sources) @ wsdl_first_https —

Using proxy server configured in maven.

— maven-antrun-plugin:1.4:run (copyxmlfiles) @ wsdl_first_https —

— maven-resources-plugin:2.5:resources (default-resources) @ wsdl_first_https —

Using ‘UTF-8’ encoding to copy filtered resources.

skip non existing resourceDirectory c:optapache-cxf-2.4.3-fuse-01-02sampleswsdl_first_httpssrcmainresources

— maven-compiler-plugin:2.3.1:compile (default-compile) @ wsdl_first_https —

Nothing to compile — all classes are up to date

— maven-resources-plugin:2.5:testResources (default-testResources) @ wsdl_first_https —

Using ‘UTF-8’ encoding to copy filtered resources.

skip non existing resourceDirectory c:optapache-cxf-2.4.3-fuse-01-02sampleswsdl_first_httpssrctestresources

— maven-compiler-plugin:2.3.1:testCompile (default-testCompile) @ wsdl_first_https —

No sources to compile

— maven-surefire-plugin:2.10:test (default-test) @ wsdl_first_https —

No tests to run.

Surefire report directory: c:optapache-cxf-2.4.3-fuse-01-02sampleswsdl_first_httpstargetsurefire-reports

Tests run: 0, Failures: 0, Errors: 0, Skipped: 0

>>> exec-maven-plugin:1.2:java (default) @ wsdl_first_https >>>

f factory hierarchy

2012-07-23 09:20:05 org.apache.cxf.service.factory.ReflectionServiceFactoryBean buildServiceFromWSDL

INFO: Creating Service SOAPService from WSDL: file:/c:/opt/apache-cxf-2.4.3-fuse-01-02/samples/wsdl_first_https/wsdl/h

2012-07-23 09:20:06 org.apache.cxf.phase.PhaseInterceptorChain doDefaultLogging

WARNING: Interceptor for SOAPService# greetMe has thrown exception, unwinding

Источник

The openssl ca command and utility is a lightweight piece of software that can be used to perform minimal CA (Certification Authority) functions. The command can sign and issue new certificates including self-signed Root CA certificates, generate CRLs (Certificate Revocation Lists), and other CA things.

Operating a CA with openssl ca

Create a self-signed certificate using the openssl req command.

openssl req -x509 -newkey rsa:4096 -keyout ca-key.pem -out ca-cert.pem

Create the following file structure to support your CA:

├── demoCA
│   ├── cacert.pem
│   ├── index.txt.attr
│   ├── newcerts
│   ├── private
│   │   └── cakey.pem
│   └── serial

Note that the openssl.cnf configuration file expects you to be in the same directory as demoCA. On Linux, that file is /usr/lib/ssl/openssl.cnf. Make sure the key file is cakey.pem and the cert file is cacert.pem, else openssl won’t be able to find it. If you run across Can't open ./demoCA/cacert.pem for reading, No such file or directory, unable to load CA private key, or unable to load certificate you likely have the wrong directory structure or the wrong file names.

The CA certificate and CSRs must share the same organizationName, else you will receive the The organizationName field is different between error message.

Sign certificate with ca openssl

Use openssl ca to generate and sign a new certificate. To sign a CSR (Certificate Signing Request), run the following command:

 openssl ca -in csr.pem -out newcert.pem

The command used X509v3 extensions by default.

You can sign multiple requests at once using the -infiles flag:

openssl ca -infiles req1.pem req2.pem req3.pem

The subject of each certificate is stored in index.txt and cannot be duplicated if the index.txt.attr contains unique_subject = yes.

In addition, the number in the serial file is incremented as well to avoid a serial number collision.

Generate a CRL (Certificate Revocation List) with openssl ca

First, make sure you have created the demoCA/crlnumber file with a value. If you’re starting with the number 1, it must be a two digit value in the form of 01, else you will receive the error while loading CRL number error.

To generate the CRL with openssl ca, run the following command:

openssl ca -gencrl -out crl.pem

Each time a new CRL is generated, the number provided in the crlnumber file is incremented by 1.

If you would like to see a deeper dive into running your own CA with openssl, let us know in the comments!

Read more of our content.

I’m trying to establish a PKI with a CRL (currently testing hence the dummy issuer values).
Unfortunately, running openssl verify -crl_download -crl_check fails to load the CRL from the specified distribution point. The problem is that even with -verbose, the error message doesn’t tell me why it failed to load. As far as I can tell, the crl file is valid and is publicly accessible.

It is entirely possible that I’ve done something wrong, but without more precise information, there is no way for a user in my situation to know what exactly that is.

Please see the commands below. The initial verify fails. But then I can run wget on the very URI it complains about, and it downloads just fine. I can also pass this downloaded file to crl and then another verify -CRLfile call and it works just fine.

administrator@fserver:/var/www$ openssl version
OpenSSL 1.1.0g  2 Nov 2017
administrator@fserver:/var/www$ openssl verify -verbose -crl_check -crl_download -CAfile /root/ca/intermediate/certs/ca-chain.cert.pem /root/ca/intermediate/certs/ad3.cert.pem
Error loading CRL from http://pki.domain.com/intermediate.crl.pem
C = GB, ST = England, O = Alice Ltd, CN = aramdesk3
error 3 at 0 depth lookup: unable to get certificate CRL
error /root/ca/intermediate/certs/ad3.cert.pem: verification failed
administrator@fserver:/var/www$ wget http://pki.domain.com/intermediate.crl.pem; openssl crl -noout -text -in intermediate.crl.pem
--2019-03-26 00:23:53--  http://pki.domain.com/intermediate.crl.pem
Resolving pki.domain.com (pki.domain.com)... 192.168.1.2
Connecting to pki.domain.com (pki.domain.com)|192.168.1.2|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1007 [application/x-pkcs7-crl]
Saving to: ‘intermediate.crl.pem.2’

intermediate.crl.pem.2                           100%[==========================================================================================================>]    1007  --.-KB/s    in 0s

2019-03-26 00:23:53 (79.3 MB/s) - ‘intermediate.crl.pem.2’ saved [1007/1007]

Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /C=GB/ST=England/O=Alice Ltd/CN=inter
        Last Update: Mar 26 07:10:31 2019 GMT
        Next Update: Apr 25 07:10:31 2019 GMT
        CRL extensions:
            X509v3 Authority Key Identifier:
                keyid:DD:F8:DD:CB:90:E0:0C:68:59:CC:0F:5B:3D:8D:08:4B:72:E4:E3:89

            X509v3 CRL Number:
                4097
No Revoked Certificates.
    Signature Algorithm: sha256WithRSAEncryption
         4c:21:c1:3f:d6:a2:47:94:7b:15:a8:29:f3:5d:79:d1:4f:7a:
         e0:82:a2:e1:ca:17:5a:f7:1c:0a:54:9b:05:62:a0:1f:2a:32:
         47:48:9e:14:e8:09:61:09:45:67:58:61:ef:78:22:30:81:d1:
         f7:92:b2:d8:58:07:7f:32:c0:90:88:12:1b:23:03:b1:e9:b4:
         23:53:d2:35:f5:a9:2e:a5:12:6b:04:cd:25:65:f5:78:05:b1:
         e2:a0:d8:be:8c:43:44:8b:fb:01:35:bd:02:52:96:7f:d5:40:
         38:15:a9:c2:48:92:ad:6f:b9:1b:5b:fe:93:da:f3:80:2d:bd:
         ee:12:d4:f6:9e:90:24:ed:55:ae:f2:83:b5:e1:cb:83:4f:6c:
         dc:ed:e2:6b:c3:31:5d:92:07:ec:05:f9:9d:a0:08:c7:04:25:
         3e:91:27:64:e1:d0:c6:29:ff:03:ea:bd:af:c0:18:d3:78:e1:
         5e:59:8d:ea:dd:72:00:0e:8f:67:5a:28:13:01:93:7e:b0:84:
         65:28:1d:77:a2:49:52:6b:d4:63:36:e7:49:ae:a9:60:73:ff:
         32:77:05:f8:65:b5:f0:4c:d2:5f:28:ce:cb:86:93:97:e7:ad:
         f8:0b:f8:8b:6a:bb:16:91:31:76:03:ff:79:03:7c:a1:d0:28:
         23:ae:5b:4c:8c:0b:8e:ae:6e:ba:a2:a0:c0:be:bb:a3:ee:f7:
         a7:aa:8a:e3:7a:9c:85:22:57:65:77:66:59:c7:cd:a6:a5:f3:
         4b:36:68:a8:e1:0a:46:22:18:cf:d4:fe:c2:9e:61:6e:49:d4:
         a4:d3:fd:b4:c1:51:dd:18:ca:c9:af:00:d5:ce:aa:d2:0c:9e:
         c3:c8:f4:c4:20:41:f8:b4:ec:d5:5c:11:68:93:b8:73:f4:52:
         ea:e2:92:7f:d8:61:56:c3:f6:a5:3f:7d:75:32:e3:42:b0:ea:
         37:b3:ac:f1:c8:c6:69:57:be:50:9b:80:6e:75:d7:bd:12:44:
         a9:15:64:b1:e6:f5:53:c0:b3:66:66:fa:dd:93:3a:cf:c4:c7:
         d7:90:bb:ea:ac:4f:c2:d9:25:b4:3e:61:0a:58:db:0c:8d:5a:
         73:f6:d4:b8:d6:1c:31:c0:2e:2b:39:6a:bb:0d:db:a1:b1:c4:
         a5:93:e7:80:b5:87:1f:d9:0c:01:ba:54:df:bd:af:59:52:68:
         07:c1:b8:8e:b8:eb:0a:39:b5:06:8b:f7:5a:ea:70:c6:4e:f9:
         f2:c7:07:7c:e7:35:b8:99:ed:4f:bb:35:2f:3b:15:58:36:06:
         f2:63:34:8e:9a:9b:1e:80:2b:fb:c6:33:a5:73:a8:8c:ba:f9:
         be:f8:be:12:97:9b:6b:42
administrator@fserver:/var/www$ openssl verify -verbose -CRLfile intermediate.crl.pem -CAfile /root/ca/intermediate/certs/ca-chain.cert.pem /root/ca/intermediate/certs/ad3.cert.pem
/root/ca/intermediate/certs/ad3.cert.pem: OK

Today certificates are widely used to verify, authenticate a client/user or server, to encrypt or sign emails or to sign other types of objects (e.g. source code). You are using a certificate at the moment, due to the secure http (https) connection.
In this post I will show you how to create your own Root Certificate Authority (CA).

1. Create a self signed root certificate
2. Create a sub ca certificate
3. Create a server certificate
4. Create a user certificate
5. Generate a certificate revocation list
6. Revoke a certificate
7. Export a certificate to PKCS#12 format
8. Bash script to manage your own CA

I recommend to configure your openssl.cnf (located at /etc/ssl/openssl.cnf). This is the most annoying part, but it simplifies the next steps. You can find an example of an openssl.cnf I’ll use at the end of this post. Be careful at the policy_match section, this can be a problem while signing a certificate signing request.

1. Create a self signed root certificate:

First of all we have to create a key for the root ca. The following commands will create a file with random noise (8192 Bytes) and a 2048 bit RSA key which is encrypted with AES 256 Bit:

$ openssl rand -out private/.randRootCA 8192
$ openssl genrsa -out rootca.key -aes256 2048 -rand private/.randRootCA

Explanation of the first command:

rand         create random noise
-out <file>  output file of the random noise
8192         Number of bytes of random noise

Explanation of the second command:

genrsa        generate private RSA key
-out <file>   output file of the RSA key
-aes256       encrypt the key with AES 256 Bit
2048          Bitssize of the key
-rand <file>  use random noise 

If you don’t want to encrypt the key, just remove the option -aes256, but I recommend it to encrypt the key. Feel free to change the bits size of the key to 4096 or whatever you want.

The next step is to create the self-signed root certificate:

$ openssl req -new -x509 -days 3650 -key private/rootca.key -out rootca.crt 
 -config openssl.cnf

Explanation of the command:

req             create a certificate signing request
-new            create a new signing request (you have to enter the entity data)
-x509           output a self signed certificate instead of a certificate request
-days <n>       number of days to certify the certificate for
-key <file>     specifies the private key file
-out <file>     self signed root ca certificate
-config <file>  use the given openssl config file

You can take a look at the content of the certificate with the following command:

$ openssl x509 -text -in rootca.crt

Explanation of the command:

x509       X.509 data management
-text      print the certificate in text form
-in <file> input certificate to print to stdout

2. Create a sub ca certificate (signed by the root ca):

The next step is to create a certificate signing request (CSR) for the Sub CA. To create the CSR we have to generate a key first. The generation of the key is equal to the key generation of the Root CA.

$ openssl rand -out .randSubCA 8192
$ openssl genrsa -out private/subca.key -aes256 -rand .randSubCA 2048

Now we can create the CSR:

$ openssl req -new -key private/subca.key -out subca.csr -config openssl.cnf 

Explanation of the command:

req             create a certificate signing request
-new            create a new signing request (you have to enter the entity data)
-key <file>     specifies the private key file
-out <file>     output file of Sub CA CSR
-config <file>  use the given openssl config file

The CSR can now be signed by the Root CA:

$ openssl ca -name CA_RootCA -in subca.csr -out certs/subca.crt 
 -extensions subca_cert -config openssl.cnf

Explanation of the command:

ca                    certificate authority management
-name <section>       name of the CA (section within openssl.cnf)
-in <file>            input file (the CSR)
-out <file>           output file (signed certificate)
-extensions <section> used extension, which will be added to the final certificate.
                      The given section has to be present within the openssl.cnf
-config <file>        use the given openssl config file

It is also possible to change the message digest (MD) algorithm. The default MD algorithm is given in the openssl.cnf. To change the MD algorithm you can use the -md <algorithm> option. I recommend NOT to use MD5 as MD algorithm, you should use at least SHA-1. The openssl documentation says that md5, sha1 and mdc2 are possible algorithms. But it’s possible to use e.g. SHA-512 you just have to use the option: -md sha512

I got some error messages while signing the Sub CA CSR and here are the solutions I found to fix this errors:

1. Error message: unable to open ‘./RootCA/index.txt’
   Solution:

   $ touch ./RootCA/index.txt

2. Error message: error while loading serial number
   Solution:

   $ echo '01' > ./RootCA/serial

3. Error message: Check that the request matches the signature Signature ok The commonName field needed to be supplied and was missing
   Solution: change policy_match options in openssl.cnf or create a new CSR with a commonName

3. Create a server certificate (singed by the sub ca):

To create a server certificate, e.g. for a webserver http://www.example.com, you have to create a key and a CSR. So the first step to create the key is equal to the key creation of the Root or Sub CA:

$ openssl rand -out .randServer 8192
$ openssl genrsa -out private/server.key -aes256 -rand .randServer 2048

The next step is to create the CSR. But make sure that you enter the domain name of the server as common Name (in this example: commonName=www.example.com).

$ openssl req -new -key private/server.key -out server.csr -config openssl.cnf 

Now we can sign the server CSR:

$ openssl ca -name CA_SubCA -in server.csr -out certs/server.crt 
 -extensions server_cert -config openssl.cnf

Some applications use the subject alternative name as identifier, so it’s a good idea to set the subjectAltName with the domain name (in this example: subjectAltName=DNS:www.example.com). You can set the subjectAltName attribute in your openssl.cnf. For more details take a look at the opennssl doc: https://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_

4. Create a user certificate (signed by the sub ca):

The creation of a user certificate is very similar to the creation of a server certificate, so I will keep this part short.
Key generation:

$ openssl rand -out .randUser 8192
$ openssl genrsa -out private/user.key -aes256 -rand .randUser 2048

Create CSR:

$ openssl req -new -key private/user.key -out user.csr -extensions user_cert 
 -config openssl.cnf 

Sign CSR:

$ openssl ca -name CA_SubCA -in user.csr -out certs/user.crt 
 -extensions user_cert -config openssl.cnf

Some applications use the subject alternative name as identifier, so it’s a good idea to set the subjectAltName with the email address (in this example: subjectAltName=email:user@example.com). You can set this attribute in your openssl.cnf. I recommend to set this attribute to subjectAltName=email:copy, i.e. the email address will be set automatically.

5. Generate a certificate revocation list:

The creation of a certificate revocation list (CRL) is very easy. In this example I’ll create a CRL of the Sub CA:

$ openssl ca -name CA_SubCA -gencrl -out crl/crl.pem -config openssl.cnf

Explanation of the command:

ca                    certificate authority management
-name <section>       name of the CA (section within openssl.cnf)
-gencrl               create certificate revocation list
-out <file>           output file (the final CRL)
-config <file>        use the given openssl config file

You can change the MD algorithm with the -md option, e.g. -md sha512.

I got an error while generating the CRL and here is the solution I found to fix this error:

1. Error message: error while loading CRL number
   Solution:

   $ echo '01' > ./SubCA/crlnumber

6. Revoke a certificate

To revoke a certificate is very easy too. In this example I will revoke the certificate user.crt which was signed by the Sub CA:

$ openssl ca -name CA_SubCA -revoke certs/user.crt -config openssl.cnf

Explanation of the command:

ca                    certificate authority management
-name <section>       name of the CA (section within openssl.cnf)
-revoke <file>        input file (the certificate to revoke)
-config <file>        use the given openssl config file

I recommend to create a new CRL every time you revoke a certificate.

7. Export a certificate to PKCS#12 format

If you want to import a certificate to your browser or your email client you have to export the certificate to another format. Most of the applications need a certificate in PKCS#12 format. This format contains the public and private key. You have to enter a (backup) passphrase for exported certificate, to protect you private key.

$ openssl pkcs12 -export -in certs/user.crt -inkey private/user.key 
 -out user.pfx -name "User Certificate"

Explanation of the command:

pkcs12          PKCS#12 management
-export         create a PKCS#12 file
-in <file>      input certificate
-inkey <file>   input key (corresponding to the certificate)
-out <file>     output file (final exported certificate)
-name <string>  name of the certificate (Some apps display 
                this name in the list box)

The exported certificate user.pfx can be imported to e.g. your browser or your email client.

8. Bash script to manage your own CA

I’ve programmed a “little” Bash script to make all these steps a bit easier. The script is available at Github: https://github.com/linuxm0nk3ys/ca-script. Feel free to modify the script. If you find any bugs or you have any suggestions, please contact me (leave a comment or via Twitter: @linuxm0nk3ys).

Appendix

Full content of openssl.cnf:

# This definition stops the following lines choking if HOME isn't
# defined.
HOME			= .
RANDFILE		= $ENV::HOME/.rnd

# Extra OBJECT IDENTIFIER info:
oid_section		= new_oids

[ new_oids ]
# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7

####################################################################
[ ca ]
default_ca	= CA_RootCA		# The default ca section
####################################################################
[ CA_RootCA ]
dir		= ./RootCA       # Where everything is kept
certs		= $dir/certs	 # Where the issued certs are kept
crl_dir		= $dir/crl	 # Where the issued crl are kept
database	= $dir/index.txt # database index file.
#unique_subject	= no		 # Set to 'no' to allow creation of
				 # several ctificates with same subject.
new_certs_dir	= $dir/newcerts	 # default place for new certs.
certificate	= $dir/rootca.crt	# The CA certificate
serial		= $dir/serial 		# The current serial number
crlnumber	= $dir/crlnumber	# the current crl number
				        # must be commented out to leave a V1 CRL
crl		= $dir/crl.pem 		# The current CRL
private_key	= $dir/private/rootca.key   # The private key
RANDFILE	= $dir/private/.rootca.rand # private random number file
x509_extensions	= user_cert		# The extentions to add to the cert
name_opt 	= ca_default		# Subject Name options
cert_opt 	= ca_default		# Certificate field options
default_days	= 3650			# how long to certify for
default_crl_days= 30			# how long before next CRL
default_md      = sha512  		# use public key default MD
preserve        = no			# keep passed DN ordering
policy		= policy_anything       # CHANGE THIS

####################################################################
[ CA_SubCA ]
dir		= ./SubCA	    	# Where everything is kept
certs		= $dir/certs		# Where the issued certs are kept
crl_dir		= $dir/crl	        # Where the issued crl are kept
database	= $dir/index.txt	# database index file.
new_certs_dir	= $dir/newcerts		# default place for new certs.
certificate	= $dir/subca.crt 	# The CA certificate
serial		= $dir/serial 		# The current serial number
crlnumber	= $dir/crlnumber	# the current crl number
       					# must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key	= $dir/private/subca.key    # The private key
RANDFILE	= $dir/private/.subca.rand  # private random number file
x509_extensions	= user_cert		# The extentions to add to the cert
name_opt 	= ca_default	# Subject Name options
cert_opt 	= ca_default	# Certificate field options
default_days	= 3650		# how long to certify for
default_crl_days= 30		# how long before next CRL
default_md	= sha512	# use public key default MD
preserve	= no		# keep passed DN ordering
policy		= policy_match

####################################################################
# For the CA policy
[ policy_match ]
countryName	        = match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

####################################################################
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

####################################################################
[ req ]
default_bits		= 2048
default_keyfile 	= privkey.pem
distinguished_name	= req_distinguished_name
attributes		= req_attributes
x509_extensions	= root_ca	# The extentions to add to the self signed cert
string_mask = utf8only

####################################################################
[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= XX
countryName_min			= 2
countryName_max			= 2
stateOrProvinceName		= State or Province Name (full name)
stateOrProvinceName_default	= Some-State
localityName			= Locality Name (eg, city)
0.organizationName		= Organization Name (eg, company)
0.organizationName_default	= Example Organisation      # CHANGE THIS
organizationalUnitName	= Organizational Unit Name (eg, section)
#organizationalUnitName_default	=
commonName                      = Common Name (e.g. server FQDN or YOUR name)
commonName_max			= 64
emailAddress			= Email Address
emailAddress_max		= 64

####################################################################
[ req_attributes ]
challengePassword	= A challenge password
challengePassword_min	= 4
challengePassword_max	= 20
unstructuredName	= An optional company name

####################################################################
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

####################################################################
[ root_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:1
keyUsage = cRLSign, keyCertSign
subjectAltName=email:copy
# URI of the CA certificate 
authorityInfoAccess = caIssuers;URI:http://my.ca/ca.html # CHANGE URI
# URI of the CRL 
crlDistributionPoints=URI:http://crl1.example.com/my.crl # CHANGE THIS

####################################################################
[ subca_cert ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = cRLSign, keyCertSign
subjectAltName=email:copy
# URI of the CA certificate 
authorityInfoAccess = caIssuers;URI:http://my.ca/ca.html # CHANGE URI
# URI of the CRL 
crlDistributionPoints=URI:http://crl1.example.com/my.crl # CHANGE THIS

####################################################################
[ user_cert ]
basicConstraints=CA:FALSE
# Feel free to add "dataEncipherment" or "keysAgreement"
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
subjectAltName=email:copy
extendedKeyUsage = clientAuth, emailProtection, codeSigning
# URI of the CA certificate 
authorityInfoAccess = caIssuers;URI:http://my.ca/ca.html # CHANGE URI
# URI of the CRL 
crlDistributionPoints=URI:http://crl1.example.com/my.crl # CHANGE THIS

####################################################################
[ server_cert ]
basicConstraints=CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
# add subject Altname
# IMPORTANT: You have to set the environment variable "ALTNAME", e.g.
# export ALTNAME="DNS:www.example.com, DNS:www2.example.com"
subjectAltName=$ENV::ALTNAME
# URI of the CA certificate 
authorityInfoAccess = caIssuers;URI:http://my.ca/ca.html # CHANGE URI
# URI of the CRL 
crlDistributionPoints=URI:http://crl1.example.com/my.crl # CHANGE THIS

####################################################################
[ crl_ext ]
authorityKeyIdentifier=keyid:always

####################################################################
[ tsa ]
default_tsa = tsa_config1	# the default TSA section

####################################################################
[ tsa_config1 ]
dir		= ./demoCA		# TSA root directory
serial		= $dir/tsaserial	# The current serial number (mandatory)
crypto_device	= builtin		# OpenSSL engine to use for signing
signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
					# (optional)
certs		= $dir/cacert.pem	# Certificate chain to include in reply
					# (optional)
signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
default_policy	= tsa_policy1		# Policy if request did not specify it
					# (optional)
other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
digests		= sha1		# Acceptable message digests (mandatory)
accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
clock_precision_digits  = 0	# number of digits after dot. (optional)
ordering		= yes	# Is ordering defined for timestamps?
				# (optional, default: no)
tsa_name		= yes	# Must the TSA name be included in the reply?
				# (optional, default: no)
ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
				# (optional, default: no)

Source:
www.openssl.org
RFC 2459
RFC 3280