My NetBSD Certificate Authority (CA) with OpenSSL

    

I created a private certificate authority with OpenSSL on NetBSD tu use in my personal LAN. The certificates are used to authenticate servers in SSL/TLS mode and also to remotely connect to my LAN using VPN.

Environment

I’m using NetBSD 5.1/amd64 and OpenSSL 0.9.9.

Create the directory to host the CA:

# cd /etc/openssl
# cp -p /usr/share/examples/openssl/CA.pl .
# cp -p /usr/share/examples/openssl/openssl.cnf .
# chmod 755 CA.pl
# chmod 644 openssl.cnf

Install Perl (lang/perl5) to be able to use CA.pl.
I choose CA.pl over CA.sh because the latter does not provide a way to create unprotected certificates (certificate without “PEM pass phrase”).

Customize the CA.pl file:

--- /usr/share/examples/openssl/CA.pl   2010-11-06 14:07:36.000000000 +0100
+++ /etc/openssl/CA.pl  2010-11-16 15:35:21.000000000 +0100
@@ -46,6 +46,6 @@

 $SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"};
-$DAYS="-days 365";     # 1 year
-$CADAYS="-days 1095";  # 3 years
+$DAYS="-days 3650";    # 10 year
+$CADAYS="-days 3650";  # 10 years
 $REQ="$openssl req $SSLEAY_CONFIG";
 $CA="$openssl ca $SSLEAY_CONFIG";
@@ -54,5 +54,5 @@
 $PKCS12="$openssl pkcs12";

-$CATOP="./demoCA";
+$CATOP="/etc/openssl/TMFCA";
 $CAKEY="cakey.pem";
 $CAREQ="careq.pem";

Customize the openssl.cnf file:

--- /usr/share/examples/openssl/openssl.cnf     2010-11-06 14:07:36.000000000 +0100
+++ openssl.cnf 2010-11-16 13:12:49.000000000 +0100
@@ -40,5 +40,5 @@
 [ CA_default ]

-dir            = ./demoCA              # Where everything is kept
+dir            = /etc/openssl/TMFCA    # Where everything is kept
 certs          = $dir/certs            # Where the issued certs are kept
 crl_dir                = $dir/crl              # Where the issued crl are kept
@@ -71,5 +71,5 @@
 # crl_extensions       = crl_ext

-default_days   = 365                   # how long to certify for
+default_days   = 3650                  # how long to certify for
 default_crl_days= 30                   # how long before next CRL
 default_md     = default               # use public key default MD
@@ -128,15 +128,16 @@
 [ req_distinguished_name ]
 countryName                    = Country Name (2 letter code)
-countryName_default            = AU
+countryName_default            = FR
 countryName_min                        = 2
 countryName_max                        = 2

 stateOrProvinceName            = State or Province Name (full name)
-stateOrProvinceName_default    = Some-State
+stateOrProvinceName_default    = Paris

 localityName                   = Locality Name (eg, city)
+localityName_default           = Paris

 0.organizationName             = Organization Name (eg, company)
-0.organizationName_default     = Internet Widgits Pty Ltd
+0.organizationName_default     = TuM'Fatig

 # we can do this but it is not needed normally :-)
@@ -145,5 +146,5 @@

 organizationalUnitName         = Organizational Unit Name (eg, section)
-#organizationalUnitName_default        =
+organizationalUnitName_default = TMF Secure Certificate Authority

 commonName                     = Common Name (eg, YOUR name)
@@ -152,4 +153,5 @@
 emailAddress                   = Email Address
 emailAddress_max               = 64
+emailAddress_default           = jdoe@tumfatig.local

 # SET-ex3                      = SET extension number 3
@@ -329,5 +331,5 @@

 # These are used by the TSA reply generation only.
-dir            = ./demoCA              # TSA root directory
+dir            = /etc/openssl/TMFCA    # TSA root directory
 serial         = $dir/tsaserial        # The current serial number (mandatory)
 crypto_device  = builtin               # OpenSSL engine to use for signing

Certificate Authority initialization

# /etc/openssl/CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
...++++++
......++++++
writing new private key to '/etc/openssl/TMFCA/private/./cakey.pem'
(...)
You are about to be asked to enter information that will be incorporated
into your certificate request.
(...)
Country Name (2 letter code) [FR]:
State or Province Name (full name) [Paris]:
Locality Name (eg, city) [Paris]:
Organization Name (eg, company) [TuMFatig]:
Organizational Unit Name (eg, section) [TMF Secure Certificate Authority]:
Common Name (eg, YOUR name) []:ca.tumfatig.local
Email Address [jdoe@tumfatig.local]:
(...)
Using configuration from /etc/openssl/openssl.cnf
Enter pass phrase for /etc/openssl/TMFCA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Nov 16 12:32:08 2010 GMT
            Not After : Nov 13 12:32:08 2020 GMT
        Subject:
            countryName               = FR
            stateOrProvinceName       = Paris
            organizationName          = TuMFatig
            organizationalUnitName    = TMF Secure Certificate Authority
            commonName                = ca.tumfatig.local
            emailAddress              = jdoe@tumfatig.local
        X509v3 extensions:
(...)
Certificate is to be certified until Nov 13 12:32:08 2020 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

The file /etc/openssl/TMFCA/cacert.pem is the file that has to be deployed and/or accessible from clients that would have to trust the certificates generated with my CA.

Server certificate creation

The certificate will not be PEM protected so that the service starts without human output.

Create the certificate request:

# /etc/openssl/CA.pl -newreq-nodes
Generating a 1024 bit RSA private key
............++++++
.............++++++
writing new private key to 'newkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
(...)
Country Name (2 letter code) [FR]:
State or Province Name (full name) [Paris]:
Locality Name (eg, city) [Paris]:
Organization Name (eg, company) [TuMFatig]:
Organizational Unit Name (eg, section) [TMF Secure Certificate Authority]:
Common Name (eg, YOUR name) []:ldap.tumfatig.local
Email Address [jdoe@tumfatig.local]:
(...)
Request is in newreq.pem, private key is in newkey.pem

Then sign it:

# /etc/openssl/CA.pl -sign
Using configuration from /etc/openssl/openssl.cnf
Enter pass phrase for /etc/openssl/TMFCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
(...)
Certificate is to be certified until Nov 13 14:59:38 2020 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem

Install the certificate in the CA repository:

# mv newcert.pem /etc/openssl/TMFCA/certs/ldap.tumfatig.local.crt
# mv newkey.pem /etc/openssl/TMFCA/private/ldap.tumfatig.local.key

Install the certificate on the server side:

# cp -p /etc/openssl/TMFCA/certs/ldap.tumfatig.local.crt /etc/openssl/certs/
# cp -p /etc/openssl/TMFCA/private/ldap.tumfatig.local.key /etc/openssl/private/
# cp -p /etc/openssl/TMFCA/cacert.pem /etc/openssl/certs/

Additional notes

To view a certificate content, just issue:

# openssl x509 -in newcert.pem -noout -text