pki / setup your own ca

tested with LibreSSL 3.3.1

Requirements

We need the default_ca section to be there, and the nicer/lighter LibreSSL template does not have any.

which openssl
openssl version

So let us grap a sample

cd /etc/ssl/
wget -O - https://raw.githubusercontent.com/libressl/libressl/master/src/apps/openssl.cnf > openssl.sample

and add the required fields as such

cp -pi /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.dist
vi /etc/ssl/openss.cnf

[ ca ]
default_ca      = CA_default

[ CA_default ]
dir             = ./
certs           = $dir
crl_dir         = $dir
database        = $dir/index.txt
new_certs_dir   = $dir
certificate     = $dir/ca.crt
serial          = $dir/serial
crlnumber       = $dir/crlnumber
crl             = $dir/ca.crl
private_key     = $dir/ca.key
RANDFILE        = $dir/.rand
x509_extensions = usr_cert
name_opt        = ca_default
cert_opt        = ca_default
default_days    = 365
default_crl_days= 30
default_md      = default
preserve        = no
policy          = policy_match

[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ usr_cert ]
basicConstraints=CA:FALSE
nsComment       = "LibreSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

note we’ve modified a few fields from the sample, namely

dir             = ./
new_certs_dir   = $dir
crl_dir         = $dir
new_certs_dir   = $dir
certificate     = $dir/ca.crt
private_key     = $dir/ca.key
crl             = $dir/ca.crl

nsComment       = "LibreSSL Generated Certificate"

this field looks interested as well

[ usr_cert ]
# nsCertType = server
# nsCertType = client, email

Get a CA

on the CA node

Generate a privkey. Yes we want a passphrase here.

mkdir -p /etc/ssl/ORG-ROOT-CA/
cd /etc/ssl/ORG-ROOT-CA/
openssl genrsa -aes256 -out ca.key 4096
chmod 400 ca.key

generate a CSR for the CA itself and sign it

short=ca

–or– request and sign at once while generating the private key — yeah that’s a self-signed anyhow

openssl req -new -key ca.key -out ca.crt -x509 -days 7300 -sha256

add CRL and concat

echo -ne 00 > crlnumber
openssl ca -gencrl -out ca.crl
cp -pi ca.crt ca.crt.wocrl
cat ca.crl >> ca.crt

and review the resulting CA certificate and CRL

openssl x509 -in ca.crt -text -noout | less
openssl crl -in ca.crt -text -noout | less

client or server csr

on some client or server node (privkey not need to be sent to the CA)

now generate a CSR for some server or client — see sslhappy-csr

ready to serve

on the ca node

sign the request with your root CA

touch index.txt
echo 01 > serial

openssl ca -days 375 -notext -md sha256 -in HOST-OR-USER.csr -out HOST-OR-USER.crt
chmod 444 HOST-OR-USER.crt

tail index.txt
tail serial

check

openssl x509 -in HOST-OR-USER.crt -text -noout
openssl verify -CAfile ca.crt HOST-OR-USER.crt

deal w/ client certificates

on the server side

apache-clientcert

dovecot-clientcert

on the client side

firefox

thunderbird

TODO

Resources

ca - sample minimal CA application https://github.com/libressl/libressl/blob/master/src/doc/apps/ca.pod

Certificate signing request https://en.wikipedia.org/wiki/Certificate_signing_request

OpenSSL tips and tricks https://commandlinefanatic.com/cgi-bin/showarticle.cgi?article=art030

How To Setup a CA http://pages.cs.wisc.edu/~zmiller/ca-howto/

How to get HTTPS working in localhost development environment https://reactpaths.com/how-to-get-https-working-in-localhost-development-environment-f17de34af046

Setting up an SSL secured Webserver with CentOS https://wiki.centos.org/HowTos/Https

crl

https://jamielinux.com/docs/openssl-certificate-authority/certificate-revocation-lists.html

https://stackoverflow.com/questions/11966123/howto-create-a-certificate-using-openssl-including-a-crl-distribution-point

crlnumber https://help.cloud.fabasoft.com/index.php?topic=doc/How-to-Create-a-CA-and-User-Certificates-for-Your-Organization-in-Fabasoft-Cloud/certificate-revocation-list-via-openssl.htm

alternatives

Easy-RSA 3 https://easy-rsa.readthedocs.io/en/latest/

Easy-RSA https://wiki.archlinux.org/index.php/Easy-RSA


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Licensed under MIT