Pascal Maugeri

Building a Certificate Authority (CA)

Blog Post created by Pascal Maugeri Employee on Sep 6, 2017

Introduction

This article is a "foundation" for upcoming articles that will be written on best-practices implementation of FOSSL rules in Akamai Property Manager configuration.

 

The outcome of the OpenSSL commands described here is a set of 3 certificates (Root>Intermediate>Leaf) as show below:

 

 

 

Preparing environment

The CA is built on the following directories structure:

ca/

    ├── certs

    ├── csr

    ├── newcerts

    └── private

where private folder will be used to store private keys of the PKI, csr is used to store the Certificate Signing Requests, and newcerts will receive the certificates generated and signed.

 

# sudo su -
# mkdir /root/ca
# cd /root/ca
# mkdir private csr certs newcerts
# chmod 700 private/

 

One should place the two configuration files openssl_root.cnf and openssl_intermediate.cnf in the /root/ca folder. These two files can be found attached to this article.

 

 

Creating the root certificate

Creation of the Root certificate keys

# cd /root/ca
# touch index_root.txt
# echo 1000 > serial_root
# openssl genrsa -aes256 -out private/ca.key.pem 4096
Generating RSA private key, 4096 bit long modulus
...........................++
.......................++
e is 65537 (0x10001)
Enter pass phrase for private/ca.key.pem:
Verifying - Enter pass phrase for private/ca.key.pem:
# chmod 400 private/ca.key.pem

Creation of the Root certificate

# openssl req -config openssl_root.cnf -key private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem
Enter pass phrase for private/ca.key.pem: <Your Root secret>
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name [France]:
Locality Name [Paris]:
Organization Name [Maugeri & Co]:
Organizational Unit Name [Maugeri & Co Certificate Auhtority]:
Common Name []:Maugeri & Co Root CA
Email Address []:

 

 

Intermediate Certificate

Creation of the Intermediate certificate keys

# touch index_intermediate.txt
# echo 1000 > serial_intermediate
# openssl genrsa -aes256 -out private/intermediate.key.pem 4096
Generating RSA private key, 4096 bit long modulus
...................................................++
...........................................++
e is 65537 (0x10001)
Enter pass phrase for intermediate/private/intermediate.key.pem:
Verifying - Enter pass phrase for intermediate/private/intermediate.key.pem:
# chmod 400 private/intermediate.key.pem

 

Creation of the Intermediate certificate

First we create the intermediate certificate signing request or CSR:

# openssl req -config openssl_intermediate.cnf -new -sha256 -key private/intermediate.key.pem -out csr/intermediate.csr.pem
Enter pass phrase for intermediate/private/intermediate.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name [France]:
Locality Name [Paris]:
Organization Name [Maugeri & Co]:
Organizational Unit Name [Maugeri & Co Certificate Auhtority]:
Common Name []:Maugeri & Co Intermediate CA
Email Address []:

... then, we use the Root certificate to sign the Intermediate certificate signing request:

# openssl ca -config openssl_root.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in csr/intermediate.csr.pem -out certs/intermediate.cert.pem

Using configuration from openssl_root.cnf
Enter pass phrase for /root/ca/root/private/ca.key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Aug 29 07:38:55 2017 GMT
Not After : Aug 27 07:38:55 2027 GMT
Subject:
countryName = FR
stateOrProvinceName = France
organizationName = Maugeri & Co
organizationalUnitName = Maugeri & Co Certificate Auhtority
commonName = Maugeri & Co Intermediate CA
X509v3 extensions:
X509v3 Subject Key Identifier:
41:51:73:D1:34:9C:F1:5C:0C:19:87:15:E9:DE:0D:2D:71:41:8B:B4
X509v3 Authority Key Identifier:
keyid:E6:CB:36:F6:7E:FB:3B:05:5F:36:6D:5D:2A:2B:35:1C:98:B6:CC:E7

X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Certificate is to be certified until Aug 27 07:38:55 2027 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

 

Verification of the Intermediate certificate

As a final step for the creation of the Intermediate certificate, one can verify it "agains" the Root certificate with openssl verify directive:

 

# openssl verify -CAfile certs/ca.cert.pem certs/intermediate.cert.pem
certs/intermediate.cert.pem: OK

 

Leaf Certificate

Creation of the Leaf certificate keys

# openssl genrsa -aes256 -out private/leaf.key.pem 2048
Generating RSA private key, 2048 bit long modulus
.................+++
.....................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for leaf/private/leaf.key.pem:
Verifying - Enter pass phrase for leaf/private/leaf.key.pem:
# chmod 400 private/leaf.key.pem

Creation of the Leaf certificate signing request (CSR)

# openssl req -config openssl_intermediate.cnf -key private/leaf.key.pem -new -sha256 -out csr/leaf.csr.pem
Enter pass phrase for intermediate/private/intermediate.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name [France]:
Locality Name [Paris]:
Organization Name [Maugeri & Co]:
Organizational Unit Name [Maugeri & Co Certificate Auhtority]:Maugeri & Co Web Server
Common Name []:pmaugeri-org10.ascenderorigins.com
Email Address []:

Sign the Leaf certificate with the Intermediate CA

# openssl ca -config openssl_intermediate.cnf -extensions server_cert -days 375 -notext -md sha256 -in csr/leaf.csr.pem -out certs/leaf.cert.pem

Using configuration from openssl_intermediate.cnf
Enter pass phrase for /root/ca/private/intermediate.key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Sep 6 20:00:07 2017 GMT
Not After : Sep 16 20:00:07 2018 GMT
Subject:
countryName = FR
stateOrProvinceName = France
localityName = Paris
organizationName = Maugeri & Co
organizationalUnitName = Maugeri & Co Web Server
commonName = pmaugeri-org10.ascenderorigins.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Subject Key Identifier:
A4:22:66:3F:00:81:6E:19:D7:64:25:C2:89:1D:9A:8C:62:50:38:08
X509v3 Authority Key Identifier:
keyid:C0:C6:14:A3:CC:66:8A:26:C0:C7:0D:4E:CE:36:68:63:F3:6F:C1:E9
DirName:/C=FR/ST=France/L=Paris/O=Maugeri & Co/OU=Maugeri & Co Certificate Auhtority/CN=Maugeri & Co Root CA
serial:10:00

X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
Certificate is to be certified until Sep 16 20:00:07 2018 GMT (375 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

 

VARIANT: create an expired Leaf certificate

# openssl ca -config openssl_intermediate.cnf -extensions server_cert -days 1 -notext -md sha256 -in csr/leaf.csr.pem -out certs/leaf.cert.pem -startdate 19700101000000Z -enddate 19700102000000Z

 

 

The Trust Chain

Create the certificate trust chain by concatenating leaf, intermediate and root certificate into a .pem file:

# cd /root/ca/leaf/certs
# cat leaf.cert.pem ../../intermediate/certs/intermediate.cert.pem ../../root/certs/ca.cert.pem > leaf-intermediate-root.chain.cert.pem

 

 

 

References

Outcomes