2018 November Release

Create a CA via OpenSSLPermanent link for this heading

Preparation Permanent link for this heading

Create a directory for your CA and configure it in your openssl.cnf (Parameter “dir”).

In this Case “/etc/pki/CA“ will be used.

Create a Private KeyPermanent link for this heading

mkdir -p /etc/pki/CA/private

cd /etc/pki/CA/

openssl genrsa -des3 -out private/cakey.pem 2048

Create a CSRPermanent link for this heading

openssl req -new -key private/cakey.pem \

                 -out careq.pem

Fill out the fields for the DN (Distinguished Name) like the country name, the name of your organization and the common name of your certificate authority.

Create a CertificatePermanent link for this heading

openssl x509 -days 1095 -signkey private/cakey.pem \

                        -CAserial serial \

                        -set_serial 00 \

                        -in careq.pem -req \

                        -out cacert.pem

Convert a CertificatePermanent link for this heading

openssl x509 -in cacert.pem \

             -out cacert.cer \

             -outform DER

Create a CA Serial FilePermanent link for this heading

echo -n '00' > serial

Add a CA to index.txtPermanent link for this heading

The index.txt is a tab separated file with the following columns:

  • State: “V” for Valid, “E” for Expired and “R” for revoked
  • Enddate: in the format YYMMDDHHmmssZ (the “Z” stands for Zulu/GMT)
  • Date of Revocation: same format as “Enddate”
  • Serial: serial of the certificate
  • Path to Certificate: can also be “unknown”
  • Subject: subject of the certificate

You can parse the values from the certificate:

openssl x509 -in cacert.pem -serial -enddate -subject

Create an Entry for the CA CertificatePermanent link for this heading

echo -e "V\t120522135101Z\t\t00\tcacert.pem\t/C=AT/ST=Upper Austria/L=Linz/O=MyCompany/CN=MY Companys CA" > index.txt