Setup your own CA

sslhappy-ca | dovecot-clientcert | thunderbird | apache-clientcert | firefox

tested with LibreSSL 3.3.1

Requirements

We need the default_ca section to be there, and the nicer/lighter LibreSSL template does not have any.

which openssl
openssl version

So let us grap a sample

cd /etc/ssl/
wget -O - https://raw.githubusercontent.com/libressl/libressl/master/src/apps/openssl.cnf > openssl.sample

and add the required fields as such

cp -pi /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.dist
vi /etc/ssl/openss.cnf

[ ca ]
default_ca      = CA_default

[ CA_default ]
dir             = ./
certs           = $dir
crl_dir         = $dir
database        = $dir/index.txt
new_certs_dir   = $dir
certificate     = $dir/ca.crt
serial          = $dir/serial
crlnumber       = $dir/crlnumber
crl             = $dir/ca.crl
private_key     = $dir/ca.key
RANDFILE        = $dir/.rand
x509_extensions = usr_cert
name_opt        = ca_default
cert_opt        = ca_default
default_days    = 365
default_crl_days= 30
default_md      = default
preserve        = no
policy          = policy_match

[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ usr_cert ]
basicConstraints=CA:FALSE
nsComment       = "LibreSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

note we’ve modified a few fields from the sample, namely

dir             = ./
new_certs_dir   = $dir
crl_dir         = $dir
new_certs_dir   = $dir
certificate     = $dir/ca.crt
private_key     = $dir/ca.key
crl             = $dir/ca.crl

nsComment       = "LibreSSL Generated Certificate"

this field looks interested as well

[ usr_cert ]
# nsCertType = server
# nsCertType = client, email

Get a CA

on the CA node

Generate a privkey. Yes we want a passphrase here.

mkdir -p /etc/ssl/ORG-ROOT-CA/
cd /etc/ssl/ORG-ROOT-CA/
openssl genrsa -aes256 -out ca.key 4096
chmod 400 ca.key

generate a CSR for the CA itself and sign it

# openssl req -new -key ca.key -out ca.csr
# openssl req -in ca.csr -text -noout -verify
# openssl x509 -req -days 7300 -sha256 -in ca.csr -signkey ca.key -out ca.crt

–or– request and sign AT ONCE

openssl req -new -key ca.key -out ca.crt -x509 -days 7300 -sha256

e.g.

RU
Tatarstan
Kazan
Nethence Systems
()
Nethence Root CA (jan2021)
YOUR-EMAIL

add CRL and concat

echo -ne 00 > crlnumber
openssl ca -gencrl -out ca.crl
cp -pi ca.crt ca.crt.wocrl
cat ca.crl >> ca.crt

and review the resulting CA certificate and CRL

openssl x509 -in ca.crt -text -noout | less
openssl crl -in ca.crt -text -noout | less

Server or client CSR

on some server or client node

Now generate a CSR for some server or client.

I recommend to avoid a passphrase over here, as it would require human interaction to restart the network service or launch the client application.

openssl genrsa -out HOST-OR-USER.key 2048
# -aes256 if you really want a passphrase
chmod 400 HOST-OR-USER.key

generate a request

openssl req -key HOST-OR-USER.key -new -sha256 -out HOST-OR-USER.csr

some fields need to match with the CA e.g. Organization Name, as defined previously in openssl.cnf. no need for extra attributes (challenge password nor company name)

RU
...
FQDN OR USERNAME

chmod 444 HOST-OR-USER.csr

and send the CSR to the CA owner, somehow. It is not confidential, just like a public certificate.

openssl req -in HOST-OR-USER.csr -noout -text -verify

Serve some certs

on the CA node

sign the request with your root CA

touch index.txt
echo 01 > serial

openssl ca -days 375 -notext -md sha256 -in HOST-OR-USER.csr -out HOST-OR-USER.crt
chmod 444 HOST-OR-USER.crt

tail index.txt
tail serial

check

openssl x509 -in HOST-OR-USER.crt -text -noout
openssl verify -CAfile ca.crt HOST-OR-USER.crt

TODO

• /etc/ssl/private/ already exists on both ubuntu and slackware but perms are fucked up (need to 700 it) - is it ok that we don’t use private/ at all?

Resources

ca - sample minimal CA application https://github.com/libressl/libressl/blob/master/src/doc/apps/ca.pod

Certificate signing request https://en.wikipedia.org/wiki/Certificate_signing_request

OpenSSL tips and tricks https://commandlinefanatic.com/cgi-bin/showarticle.cgi?article=art030

How To Setup a CA http://pages.cs.wisc.edu/~zmiller/ca-howto/

How to get HTTPS working in localhost development environment https://reactpaths.com/how-to-get-https-working-in-localhost-development-environment-f17de34af046

Setting up an SSL secured Webserver with CentOS https://wiki.centos.org/HowTos/Https

crl

https://jamielinux.com/docs/openssl-certificate-authority/certificate-revocation-lists.html

https://stackoverflow.com/questions/11966123/howto-create-a-certificate-using-openssl-including-a-crl-distribution-point

crlnumber https://help.cloud.fabasoft.com/index.php?topic=doc/How-to-Create-a-CA-and-User-Certificates-for-Your-Organization-in-Fabasoft-Cloud/certificate-revocation-list-via-openssl.htm

alternatives

Easy-RSA 3 https://easy-rsa.readthedocs.io/en/latest/

Easy-RSA https://wiki.archlinux.org/index.php/Easy-RSA