For a bunch of internal projects I wanted to have proper ssl running that didn’t cause errors with self signed certificates and other invalid ssl issues. To manage this without the overhead of running some full CA software such as EJBCA or Dogtag i decided to do it with the tools that were already available on almost every Linux system. This was originally writtem several years ago in a text file on the USB sticks where I stored the CA offline but the documentation might be useful to other people. Most of this comes from https://jamielinux.com/docs/openssl-certificate-authority/ with a bit from a few other places.
Creation of Tim Hughes CA
To begin with I created two encrypted USB sticks which I mounted as follows.
Root CA should all be mounted at::
/run/media/thughes/TimHughesCA
Intermediate CA mounts at::
/run/media/thughes/IntermediateCA
This step is not really critical but i wanted to have my root CA stored separatly from my intermediate and I didnt want either of them online most of the time.
Creating Cerrtificate Authorities
Root CA:
mkdir TimHughesRootCA/{certs,crl,newcerts,private}
chmod 700 TimHughesRootCA/private
touch TimHughesRootCA/index.txt
echo 1000 > TimHughesRootCA/serial
cat /etc/pki/tls/openssl.cnf > TimHughesRootCA/openssl.cnf
vim TimHughesRootCA/openssl.cnf
Generate Root CA private key::
openssl genrsa -aes256 -out TimHughesRootCA/private/ca.key.pem 4096
chmod 400 TimHughesRootCA/private/ca.key.pem
Generate Root CA certificate::
openssl req -config TimHughesRootCA/openssl.cnf -new -x509 -days 3650 -key TimHughesRootCA/private/ca.key.pem -sha256 -extensions v3_ca -out TimHughesRootCA/certs/ca.crt.pem
chmod 444 TimHughesRootCA/certs/ca.crt.pem
Intermediate Root CA::
mkdir TimHughesIntermediateCA/{certs,crl,newcerts,private}
chmod 700 TimHughesIntermediateCA/private
touch TimHughesRootCA/index.txt
echo 1000 > TimHughesIntermediateCA/serial
cat /etc/pki/tls/openssl.cnf > TimHughesIntermediateCA/openssl.cnf
vim TimHughesIntermediateCA/openssl.cnf
Intermediate Root CA private key::
openssl genrsa -aes256 -out TimHughesIntermediateCA/private/intermediate.key.pem 4096
chmod 400 TimHughesIntermediateCA/private/intermediate.key.pem
Intermediate Root CA certificate signing request::
openssl req -config TimHughesIntermediateCA/openssl.cnf \
-sha256 \
-new \
-key TimHughesIntermediateCA/private/intermediate.key.pem \
-out TimHughesIntermediateCA/certs/intermediate.csr.pem
Root CA create a signed intermediate certificate from csr::
openssl ca -config TimHughesRootCA/openssl.cnf \
-keyfile TimHughesRootCA/private/ca.key.pem \
-cert TimHughesRootCA/certs/ca.crt.pem \
-extensions v3_ca \
-notext \
-md sha256 \
-in TimHughesIntermediateCA/certs/intermediate.csr.pem \
-out TimHughesIntermediateCA/certs/intermediate.crt.pem
Cenerate Certificate Revocation List for Root CA::
echo 1000 > TimHughesRootCA/crlnumber
openssl ca -config TimHughesRootCA/openssl.cnf \
-keyfile TimHughesRootCA/private/ca.key.pem \
-cert TimHughesRootCA/certs/ca.crt.pem \
-gencrl \
-out TimHughesRootCA/crl/ca.crl.pem
openssl crl -in TimHughesRootCA/crl/ca.crl.pem -text
Cenerate Certificate Revocation List for Intermediate CA::
echo 1000 > TimHughesIntermediateCA/crlnumber
openssl ca -config TimHughesIntermediateCA/openssl.cnf \
-keyfile TimHughesIntermediateCA/private/intermediate.key.pem \
-cert TimHughesIntermediateCA/certs/intermediate.crt.pem \
-gencrl \
-out TimHughesIntermediateCA/crl/intermediate.crl.pem
openssl crl -in TimHughesIntermediateCA/crl/intermediate.crl.pem -text
Creating server certificates
Create a key and certificate signing request (csr)::
cd /etc/pki/tls/
openssl genrsa -out private/${hostname -f).key.pem 4096
chmod 400 private/${hostname -f).key.pem
openssl req -sha256 -new -key private/${hostname -f).key.pem \
-out certs/${hostname -f).csr.pem
Copy the csr.pem to the CA server::
scp $some_host:/etc/pki/tls/${some_host}.csr.pem /run/media/thughes/IntermediateCA/workingdir/
Sign the certificate using the intermediate CA::
openssl ca -config TimHughesIntermediateCA/openssl.cnf
-keyfile TimHughesIntermediateCA/private/intermediate.key.pem
-cert TimHughesIntermediateCA/certs/intermediate.crt.pem
-extensions v3_req
-notext
-md sha256
-in workingdir/${some_host}.csr.pem
-out workingdir/${some_host}.crt.pem
Revoke a certificate:
openssl ca -config TimHughesIntermediateCA/openssl.cnf \
-keyfile TimHughesIntermediateCA/private/intermediate.key.pem \
-cert TimHughesIntermediateCA/certs/intermediate.crt.pem \
-revoke TimHughesIntermediateCA/newcerts/1000.pem
Dont forget to regenerate the CRL
- Revoking certificates
Creating SubjectAlternateName certificates
Where all this info came from - https://jamielinux.com/blog/category/CA/