Creating a Private CA using OpenSSL

For a bunch of internal projects I wanted to have proper ssl running that didn’t cause errors with self signed certificates and other invalid ssl issues. To manage this without the overhead of running some full CA software such as EJBCA or Dogtag i decided to do it with the tools that were already available on almost every Linux system. This was originally writtem several years ago in a text file on the USB sticks where I stored the CA offline but the documentation might be useful to other people. Most of this comes from https://jamielinux.com/docs/openssl-certificate-authority/ with a bit from a few other places.

Creation of Tim Hughes CA

To begin with I created two encrypted USB sticks which I mounted as follows.

Root CA should all be mounted at::

/run/media/thughes/TimHughesCA

Intermediate CA mounts at::

/run/media/thughes/IntermediateCA

This step is not really critical but i wanted to have my root CA stored separatly from my intermediate and I didnt want either of them online most of the time.

Creating Cerrtificate Authorities

Root CA:

mkdir TimHughesRootCA/{certs,crl,newcerts,private}
chmod 700 TimHughesRootCA/private
touch TimHughesRootCA/index.txt
echo 1000 > TimHughesRootCA/serial
cat /etc/pki/tls/openssl.cnf > TimHughesRootCA/openssl.cnf
vim TimHughesRootCA/openssl.cnf

Generate Root CA private key::

openssl genrsa -aes256 -out TimHughesRootCA/private/ca.key.pem 4096
chmod 400  TimHughesRootCA/private/ca.key.pem

Generate Root CA certificate::

openssl req -config TimHughesRootCA/openssl.cnf -new -x509 -days 3650 -key TimHughesRootCA/private/ca.key.pem -sha256 -extensions v3_ca -out TimHughesRootCA/certs/ca.crt.pem
chmod 444 TimHughesRootCA/certs/ca.crt.pem

Intermediate Root CA::

mkdir TimHughesIntermediateCA/{certs,crl,newcerts,private}
chmod 700 TimHughesIntermediateCA/private
touch TimHughesRootCA/index.txt
echo 1000 > TimHughesIntermediateCA/serial
cat /etc/pki/tls/openssl.cnf > TimHughesIntermediateCA/openssl.cnf
vim TimHughesIntermediateCA/openssl.cnf

Intermediate Root CA private key::

openssl genrsa -aes256 -out TimHughesIntermediateCA/private/intermediate.key.pem 4096
chmod 400 TimHughesIntermediateCA/private/intermediate.key.pem

Intermediate Root CA certificate signing request::

    openssl req -config TimHughesIntermediateCA/openssl.cnf \
        -sha256 \
        -new \
        -key TimHughesIntermediateCA/private/intermediate.key.pem \
        -out TimHughesIntermediateCA/certs/intermediate.csr.pem

Root CA create a signed intermediate certificate from csr::

    openssl ca -config TimHughesRootCA/openssl.cnf \
        -keyfile TimHughesRootCA/private/ca.key.pem \
        -cert TimHughesRootCA/certs/ca.crt.pem \
        -extensions v3_ca \
        -notext \
        -md sha256 \
        -in TimHughesIntermediateCA/certs/intermediate.csr.pem \
        -out TimHughesIntermediateCA/certs/intermediate.crt.pem

Cenerate Certificate Revocation List for Root CA::

    echo 1000 > TimHughesRootCA/crlnumber
    openssl ca -config TimHughesRootCA/openssl.cnf \
        -keyfile TimHughesRootCA/private/ca.key.pem \
        -cert TimHughesRootCA/certs/ca.crt.pem \
        -gencrl \
        -out TimHughesRootCA/crl/ca.crl.pem

    openssl crl -in TimHughesRootCA/crl/ca.crl.pem -text

Cenerate Certificate Revocation List for Intermediate CA::

    echo 1000 > TimHughesIntermediateCA/crlnumber
    openssl ca -config TimHughesIntermediateCA/openssl.cnf \
        -keyfile TimHughesIntermediateCA/private/intermediate.key.pem \
        -cert TimHughesIntermediateCA/certs/intermediate.crt.pem \
        -gencrl \
        -out TimHughesIntermediateCA/crl/intermediate.crl.pem

    openssl crl -in TimHughesIntermediateCA/crl/intermediate.crl.pem -text

Creating server certificates

Create a key and certificate signing request (csr)::

    cd /etc/pki/tls/
    openssl genrsa -out private/${hostname -f).key.pem 4096
    chmod 400 private/${hostname -f).key.pem

    openssl req -sha256 -new -key private/${hostname -f).key.pem \
        -out certs/${hostname -f).csr.pem

Copy the csr.pem to the CA server::

   scp $some_host:/etc/pki/tls/${some_host}.csr.pem /run/media/thughes/IntermediateCA/workingdir/

Sign the certificate using the intermediate CA::

   openssl ca  -config  TimHughesIntermediateCA/openssl.cnf
        -keyfile TimHughesIntermediateCA/private/intermediate.key.pem
        -cert TimHughesIntermediateCA/certs/intermediate.crt.pem
        -extensions v3_req
        -notext
        -md sha256
        -in workingdir/${some_host}.csr.pem
        -out workingdir/${some_host}.crt.pem

Revoke a certificate:

    openssl ca -config TimHughesIntermediateCA/openssl.cnf \
        -keyfile TimHughesIntermediateCA/private/intermediate.key.pem \
        -cert TimHughesIntermediateCA/certs/intermediate.crt.pem \
        -revoke TimHughesIntermediateCA/newcerts/1000.pem

Dont forget to regenerate the CRL

• Revoking certificates
  • http://stackoverflow.com/a/15061804/288022

• Creating SubjectAlternateName certificates

  • https://grevi.ch/blog/ssl-certificate-request-with-subject-alternative-names-san
  • https://langui.sh/tags.html#openssl-ref
  • https://langui.sh/2009/02/28/creating-a-subjectaltname-sanucc-csr/
  • https://langui.sh/2009/02/28/openssl-sanucc-certificate-generation/

• Where all this info came from - https://jamielinux.com/blog/category/CA/