Firstly let us start by creating a directory ca consisting of root-ca, sub-ca and server . Each of these sub-directories will contain:
- private key
- certs (certificate)
- newcerts (new certificate)
- crl (certificate revocation list)
- csr (certificate signing request)
mkdir -p ca/{root-ca,sub-ca,server}/{private,certs,newcerts,crll,csr}
Now if you will now run: tree ca
, then you will be able to see a structure like this:
And if this doesn't appear then install tree on your system , by running this command:
sudo apt install tree
Now again try the same command tree ca
chmod 700 Protects a file against any access from other users, while the issuing user still has full access.
chmod -v 700 ca/{root-ca,sub-ca,server}/private
The index file will be only needed to root-ca and sub-ca. The sub-ca is intermediate certificate authority authorized by the parent root.
touch ca/{root-ca,sub-ca}/index
Serial entries are the files that we need while issuing and signing certificate requests.
openssl rand -hex 16 > ca/root-ca/serial
openssl rand -hex 16 > ca/sub-ca/serial
Again run
tree ca
to see the structure of files.
The public key of a server would be signed by a trusted certificate auhtority to have a trusted relationship with it and as his clients we would automatically trust any server that have been signed with the trusted key.
AES algorithm is considered to be quite safe.
cd ca
openssl genrsa -aes256 -out root-ca/private/ca.key 4096
Now you will be asked to enter a pass phrase which is a part of our encryption . So type a solid pass phrase and don't forget it as it will be used further too. Then press enter and rewrite again to verify.
- this will look something like this :
Again follow the same step for making the private-key for sub-ca.
openssl genrsa -aes256 -out sub-ca/private/sub-ca.key 4096
Now we will do the same for server key but this time we will take key size of 2048 bits and we don't want any encryption system also.
This is because the server will be dealing with the encrypted data all the time , so for reducing the load we'll be taking key of less size and we don't want to enter the pass phrase whenever the server starts, so we will not use AES encyption this time .
openssl genrsa -out server/private/server.key 2048
public key will be created within the process.
For this purpose we will need a configuration file which will avoid our time from writing every information on the command line. So follow the following steps:
vim root-ca/root-ca.conf
Now copy paste the following configurations in that config file and save it.
KEEP IN MIND TO PUT THE PATH OF THE DIRECTORY IN THE
CA_DEFAULT
ACCORDING TO YOUR SYSTEM.this dir should contain the path that is according to your system.
[ca]
#/home/ubuntu/ca/root-ca/root-ca.conf
#enter your path (the above one is the path of my system)
#see man ca
default_ca = CA_default
[CA_default]
dir = /home/ubuntu/ca/root-ca
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index
serial = $dir/serial
RANDFILE = $dir/private/.rand
private_key = $dir/private/ca.key
certificate = $dir/certs/ca.crt
crlnumber = $dir/crlnumber
crl = $dir/crl/ca.crl
crl_extensions = crl_ext
default_crl_days = 30
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 365
preserve = no
policy = policy_strict
[ policy_strict ]
countryName = supplied
stateOrProvinceName = supplied
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# Options for the req tool, man req.
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
default_md = sha256
# Extension to add when the -x509 option is used.
x509_extensions = v3_ca
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
countryName_default = IN
stateOrProvinceName_default = India
0.organizationName_default = ABC Ltd
[ v3_ca ]
# Extensions to apply when createing root ca
# Extensions for a typical CA, man x509v3_config
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions to apply when creating intermediate or sub-ca
# Extensions for a typical intermediate CA, same man as above
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
#pathlen:0 ensures no more sub-ca can be created below an intermediate
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ server_cert ]
# Extensions for server certificates
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
Go through the file and read the things that have been applied.
The main things that are present in that config file are:
- Common Name
- Organization's name
- Country name
- State and Province
- Some default names
- Extension v3_ca is for root-ca.
Now move into the root-ca directory
cd root-ca/
and then run this command for making new x509 certificate (with the help of the private key) and you can provide the number days you want the certificate for.
We will be using SHA256 for making the message digest and the number of days is all upto you (in this I have taken 100 days)
openssl req -config root-ca.conf -key private/ca.key -new -x509 -days 100 -sha256 -extensions v3_ca -out certs/ca.crt
openssl x509 -noout -in certs/ca.crt -text
-text form so that we can read some of the things
So, we have finally created a self signed Certificate for root-ca
Root certificate authority should always be offline .
we have different CA for different purposes.
Jump into the sub-ca directory:
cd ../sub-ca/
We will make the same config file for sub-ca also.
vim sub-ca.conf
Now copy paste the whole code in this config file.
KEEP IN MIND TO PUT THE PATH OF THE DIRECTORY IN THE
CA_DEFAULT
ACCORDING TO YOUR SYSTEM.
[ca]
#see man ca
default_ca = CA_default
[CA_default]
dir = /home/ubuntu/ca/sub-ca
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index
serial = $dir/serial
RANDFILE = $dir/private/.rand
private_key = $dir/private/sub-ca.key
certificate = $dir/certs/sub-ca.crt
crlnumber = $dir/crlnumber
crl = $dir/crl/ca.crl
crl_extensions = crl_ext
default_crl_days = 30
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 365
preserve = no
policy = policy_loose
[ policy_strict ]
countryName = supplied
stateOrProvinceName = supplied
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# Options for the req tool, man req.
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
default_md = sha256
# Extension to add when the -x509 option is used.
x509_extensions = v3_ca
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
countryName_default = IN
stateOrProvinceName_default = India
0.organizationName_default = ABC Ltd
[ v3_ca ]
# Extensions to apply when createing root ca
# Extensions for a typical CA, man x509v3_config
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions to apply when creating intermediate or sub-ca
# Extensions for a typical intermediate CA, same man as above
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
#pathlen:0 ensures no more sub-ca can be created below an intermediate
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ server_cert ]
# Extensions for server certificates
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
This time we will not generate self signed certificate because this time we create a certificate signing request to the root-ca i.e. instead of x509 we will create csr to the root-ca
Run this code for creating CSR
openssl req -config sub-ca.conf -new -key private/sub-ca.key -sha256 -out csr/sub-ca.csr
Again do the same thing that we did on the 6th step. Like enter the pass phrase press enter-enter and this time on common name type SubCA.
Go back to the root-ca directory
cd -
Now create the certificate:
openssl ca -config root-ca.conf -extensions v3_intermediate_ca -days 100 -notext -in ../sub-ca/csr/sub-ca.csr -out ../sub-ca/certs/sub-ca.crt
If this somehow gives error then you haven't put the correct path of the directory in the
CA_DEFAULT
inside the config file.
After running the code enter the pass phrase and then type 'y' and 'y' in the following choices that will appear and then your certificate is successfully created.
Now again run the tree
command to see the structure and this time you will notice something different
tree ../../ca
cat index
openssl x509 -noout -text -in ../sub-ca/certs/sub-ca.crt
Change the directory
cd ../server/
Generate the signing request
openssl req -key private/server.key -new -sha256 -out csr/server.csr
You can press enter in every field if you wish but give any name or link in Common Name section.
cd ../sub-ca
Then run this command for making the certificate
openssl ca -config sub-ca.conf -extensions server_cert -days 100 -notext -in ../server/csr/server.csr -out ../server/certs/server.crt
Then follow the same steps that we did while making the certificate for sub-ca
Now check the backup copy of the certificate that we issued
ls newcerts
Now we might also depend on server with which we are going to use the certificate server.crt for which we need a chained certificate file that contains full copy of the signing authority and the server.crt
change the directory
cd ../server/certs/
Make the chained certificate
cat server.crt ../../sub-ca/certs/sub-ca.crt > chained.crt
cd ..
Run this command and make sure to write the common name , the name that we added in the certificate.
sudo -- sh -c "echo "127.0.0.2 www.ubuntu.com" >> /etc/hosts"
and then ping the give common name i.e. in my case www.ubuntu.com
ping www.ubuntu.com
sudo openssl s_server -accept 443 -www -key private/server.key -cert certs/server.crt -CAfile ../sub-ca/certs/sub-ca.crt
which will then show this:
So, now we have our listening server .
Now on the other duplicate terminal we will make a web request. Firstly check the last window after applying this code.
IN THE DUPLICATE TERMINAL FIRSTLY USE THIS COMMAND
cd
for changing the directory.
cd
ss -ntl
it will be listening at port 443
then use curl client to make web request.
curl https:www.ubuntu.com
which will give output
and is it gives error then firstly try copy the root-ca.crt
into /etc/pki/wupd/LVFS-CA.pem
.. well after pki the files depend on the system.
like this:
sudo cp ca/root-ca/certs/ca.crt /etc/pki/fwupd/LVFS-CA.pem
and then do the update of certificate like this:
sudo update-ca-certificates -v
and then do the curl
command and the output will be the same.
Hence , we can say that it is working.
Everything is done now , close all of the terminals.
This is how certificate authority is set up and certificates are made.