usefulfor.com/nothing
howto create an intermediate Certificate Authority (CA) using openssl
20 Mar
Posted by: etd in: Networking, Security
What is an Intermediate Certificate Authority (CA) and why do I need one? An Intermediate CA is an authority that you use to create your own SSL certificates in a PKI environment. An Intermediate CA depends on a Root CA that is the origin of the chain of trust. The idea is that if your Intermediate CA gets compromised or you decide to revocate all the certificates issued by it, you can still use your Root CA without further inconvenience for your users (the users only need to have installed the certificate of the Root CA in their browsers).
As for the second question, the sort answer is that chances are that you really do not need one 
but for the shake of the experiment lets get our hands dirty!
First of all, I need to clarify that my interest in this topic was also risen by the fact that Verisign has switched to a two-tier hierarchy of Certificate Authorities, and this has some implications specially in the configuration of web server software:
“As of April 2006, all SSL certificates issued by VeriSign require the installation of an Intermediate CA Certificate. The SSL certificates are signed by an Intermediate CA using a two-tier hierarchy (also known as trust chain) which enhances the security of your SSL Certificate. If the proper Intermediate CA is not installed on the server, your customers will see browser errors and may choose not to proceed further and close their browser.” (boldface is mine)
This means that while the users do not need to modify anything (if their browser already has Verisigns Root CA certificate) the server owners need to ensure that the server is able to provide the so called trust chain to the users’ browser when the SSL handshake is performed.
Never mind, lets get back to it. In order to get your Intermediate CA working, first you need a Root CA (if you already have a CA, feel free to skip the next section). Remember that in order to get this working you need to have a copy of the openssl toolkit installed in your system.
Configure the Root CA
<br /> mkdir /var/ca<br /> cd /var/ca/<br /> mkdir certs crl newcerts private<br /> echo "01" > serial<br /> cp /dev/null index.txt<br /> # beware that the location of the sample file is dependent on your environment<br /> cp /usr/lib/ssl/openssl.cnf .<br />
You may want to modify some of the settings in the configuration file to save you some time in the future when creating the certificates: default_bits, countryName, stateOrProvinceName, 0.organizationName_default, organizationalUnitName and emailAddress.
Now you are ready to create the CA:
<br /> # generate a private key<br /> openssl genrsa -des3 -out private/cakey.key 4096<br /> # create a self-signed certificate valid for 5 years<br /> openssl req -new -x509 -nodes -sha1 -days 1825 -key private/cakey.pem -out cacert.pem<br /> # go for the default values if you adapted the settings in the openssl.cnf file or enter the values you desire<br />
Now you have everything you need to run a successful CA.
Configure an Intermediate CA
The idea is simple, we will create a new CA following the same template that we used in the previous section, but this time instead of generating a self-signed certificate we will generate a certificate sign request that we will sign using the Root CA.
First we create the folder structure:
<br /> cd /var/ca/<br /> mkdir ca2008<br /> cd ca2008<br /> cp ../openssl.cnf .<br /> mkdir certs crl newcerts private<br /> echo "01" > serial<br /> cp /dev/null index.txt<br />
Then the Intermediate CA private key:
<br /> #generate the key<br /> openssl genrsa -des3 -out private/cakey.pem 4096<br /> #generate a signing request (valid for 1year)<br /> openssl req -new -sha1 -key private/cakey.pem -out ca2008.csr<br /> # go for the default values if you adapted the settings in the openssl.cnf file or enter the values you desire<br />
Move the sign request to the Root CA directory and sign it:
<br /> mv ca2008.csr ..<br /> cd ..<br /> openssl ca -extensions v3_ca -days 365 -out ca2008.crt -in ca2008.csr -config openssl.cnf<br /> mv ca2008.* ca2008/<br /> cd ca2008/<br /> mv ca2008.crt cacert.pem<br />
And that was it. The next thing to do is start using your Intermediate CA to sign your new certificates. But just before that, remember that
to verify a certificate signed by an Intermediate CA the web browser has to verify both the certificate against the Intermediate CA and the certificate of the Intermediate CA against a Root CA.
In order to allow the browser to do this, a certificate chain file needs to be installed in the server. A certificate chain is a plaintext file that contains all the certificates from the Authority issuing a given certificate up to the Root of the certificate tree. In this case our chain has only two levels and the chain file is created like this:-
<br /> # first the intermediate CA certificate<br /> cat cacert.pem > chain.crt<br /> # then the Root CA cert<br /> cat ../cacert.pem >> chain.crt<br />
This file is the one you need to specify in the SSLCertificateChainFile of your server.
Create a new server certificate
<br />
# make sure you are in the Intermediate CA folder and not in the Root CA one<br />
cd /var/ca/ca2008/<br />
# create the private key<br />
openssl genrsa -des3 -out {server_name}.key 4096<br />
# generate a certificate sign request<br />
openssl req -new -key {server_name}.key -out {server_name}.csr<br />
# sign the request with the Intermediate CA<br />
openssl ca -config openssl.cnf -policy policy_anything -out {server_name}.crt -infiles {server_name}.csr<br />
# and store the server files in the certs/ directory<br />
mkdir certs/{server_name}<br />
mv {server_name}.key {server_name}.csr {server_name}.crt certs/<br />Then you should securely copy the .key and .crt files to the server and configure it to use them.
Apache server configuration
Just in case you are using Apache server and for the shake of completeness, these are the settings that you need to modify (possibly in your extra/http-ssl.conf):-
<br />
SSLCertificateFile /var/ca/ca2008/certs/{server_name}.crt<br />
SSLCertificateKeyFile /var/ca/ca2008/certs/{server_name}.key<br />
SSLCertificateChainFile /var/ca/ca2008/chain.crt<br />References
- SSL/TLS Strong Encryption: FAQ
- Creating Your Own CA
- Be your own Certificate Authority
- Very brief introduction to create a CA and a CERT
Search
Popular Posts
- howto create an intermediate Certificate Authority (CA) using openssl
- howto resize an ext3 partition without losing data
- the Buddhist monk puzzle
- winning without fighting
- harden your apache+php installation
- send files through email from the command line
- miniconomics.com - your expenses under control
- replace spaces in filename
- xfce desktop background auto change
- matar: bloodlust
Categories
- Hardware (2)
- Networking (3)
- Security (2)
- Shell Script (8)
- Uncategorized (5)
- X Windows (3)
3 Responses
chka
18|Jun|2008 1Yes, but the ca2008.csr is a certificate and not a certificate request
chka
18|Jun|2008 2I think that the blue_lizard is right. By adding the -x509 you create a self singed certificate. Just check the header of the ca2008.csr.
etd
18|Jun|2008 3Going again through the openssl documentation it seems that you are right, the -x509 option:
I’ll amend the line in the main article. Apologies for the confusion.