In this article, I will show you how to create your own Certificate Authority (CA) and sign self signed certificates. I will be generating certificates for my site infimantra.com.
Tasks
- In this article, we will create our own Certificate Authority (CA) and sign certificates for the internal domains.
- We will first create an internal CA to sign certificates for other internal domains. CA will have its own certificate which we will have to include inside the certificate’s store (Browser or system based) for testing.
- We will create a wildcard self signed certificate for the domain *.infimantra.com. The certificate will be signed by our internal CA.
- We will renew the certificate of the domain *.infimantra.com.
- You will have to change my domain with yours.
Reference
https://www.openssl.org/docs/man1.1.1/man5/x509v3_config.html
https://www.openssl.org/docs/man1.0.2/man1/openssl-req.html
Create the CA’s own self-signed certificate
Create a file ca.conf with the contents given below. This file will be used to generate the certificate for the CA. For details about the options in the ca.conf file follow the links mentioned in the reference section of this page.
[ req ] default_bits = 2048 default_keyfile = ca.key encrypt_key = no default_md = sha256 prompt = no utf8 = yes distinguished_name = ca_distinguished_name x509_extensions = ca_extensions [ ca_distinguished_name ] C=IN ST=Karnataka L=Bangalore O=InfiMantraOrgCA OU=InfiMantraOrgCA CN=InfiMantraOrgCA [ ca_extensions ] keyUsage=critical, digitalSignature, keyEncipherment, keyCertSign basicConstraints=critical,CA:TRUE extendedKeyUsage=critical,serverAuth subjectKeyIdentifier = hash
Run the command given below to create a certificate for the CA which will be valid for 10 years.
$ openssl req -new -x509 -days 3650 -config ca.conf -out ca.crt $ ls ca.conf ca.crt ca.key
You will be in possession of 3 files
- ca.conf: (as mentioned above)
- ca.cert: CA own certificate.
- ca.key: Private key for the CA certificate
Next, create a file sign.ca.conf with the contents given. This file will be used to sign client certificates. For more details about the options in the sign.ca.conf file follow the links mentioned in the reference section of this page.
[ ca ] default_ca = org_ca [ org_ca ] serial = ./serial database = ./index.txt new_certs_dir = ./newcerts certificate = ./ca.crt private_key = ./ca.key default_md = sha256 default_days = 365 policy = ca_policy [ ca_policy ] countryName = match stateOrProvinceName = supplied organizationName = supplied commonName = supplied organizationalUnitName = optional commonName = supplied
Initialise the files and folders required for the signing procedure:
$ echo '01' > serial $ touch index.txt $ mkdir newcerts
Your directory structure should look like below.
$ ls ca.conf ca.crt ca.key index.txt newcerts serial sign.ca.conf
Create CSR for the client certificate
Create a file infimantra.com.conf with the contents given below. This file will be used to generate the CSR for the client certificate. For details about the options in the infimantra.com.conf file follow the links mentioned in the reference section of this page.
[ req ] default_bits = 2048 default_keyfile = infimantra.com.key encrypt_key = no default_md = sha256 prompt = no utf8 = yes distinguished_name = infimantra_req_distinguished_name req_extensions = infimantra_extensions [ infimantra_req_distinguished_name ] C=IN ST=Karnataka L=Bangalore O=InfiMantra Org OU=InfiMantra Org CN=infimantra.com [ infimantra_extensions ] keyUsage=critical, digitalSignature, keyEncipherment basicConstraints=critical,CA:FALSE extendedKeyUsage=critical,serverAuth subjectAltName=@infimantra_subject_alt_names subjectKeyIdentifier = hash [ infimantra_subject_alt_names ] DNS.1 = *.infimantra.com DNS.2 = infimantra.com
Generate the client Certificate Signing Request (CSR)
$ openssl req -new -out infimantra.com.csr -config infimantra.com.conf $ ls infimantra* infimantra.com.conf infimantra.com.csr infimantra.com.key
Sign the client’s certificate
Now, we sign the client certificate using the client CSR, CA’s sign.ca.conf.
$ openssl ca -config sign.ca.conf -extfile infimantra.com.conf -extensions infimantra_extensions -out infimantra.com.crt -infiles infimantra.com.csr $ ls infimantra* infimantra.com.conf infimantra.com.crt infimantra.com.csr infimantra.com.key
Client’s certificate is stored in infimantra.com.crt file. We can use the openssl command to inspect the certificate.
$ openssl x509 -in infimantra.com.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C=IN, ST=Karnataka, L=Bangalore, O=InfiMantraOrgCA, OU=InfiMantraOrgCA, CN=InfiMantraOrgCA Validity Not Before: Jul 9 18:05:36 2022 GMT Not After : Jul 9 18:05:36 2023 GMT Subject: C=IN, ST=Karnataka, O=InfiMantra Org, OU=InfiMantra Org, CN=infimantra.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:e7:f7:f0:99:98:a2:86:e9:a0:78:9c:e8:3e:25: bd:33:87:88:05:c2:7f:39:0c:1d:2c:80:ad:bd:26: f6:c9:41:5e:df:75:51:d1:d6:dc:ed:3a:c1:e2:be: 9b:c6:96:55:5b:52:da:ec:d4:de:31:12:0f:45:ab: 7c:82:78:b4:10:62:8a:aa:84:60:48:86:95:78:71: f6:8d:ed:98:57:78:12:05:32:f3:db:bb:d1:b2:5c: 0e:54:fd:32:33:e3:55:69:63:04:25:ca:4c:59:5f: 4e:2d:c8:e1:ab:5d:4d:d5:f3:e0:48:3c:37:da:fb: d5:8b:23:d1:38:2a:8c:8e:85:4b:0f:cf:72:4b:2a: f3:66:e1:1a:20:87:9c:60:53:1b:be:de:43:b9:83: 41:77:c1:19:d7:7a:aa:94:54:90:85:68:a9:89:05: a2:9e:a0:e4:0f:af:c1:e0:4e:6c:8a:37:e1:84:7c: 55:84:21:1e:3e:84:0b:52:29:de:83:6b:bf:e4:90: 30:00:f7:c3:13:92:26:8c:c9:a4:6a:31:b6:da:da: 2e:09:47:b7:96:39:79:e1:6a:a2:e8:e5:cb:09:b1: e4:7f:b8:13:0c:75:e8:92:99:fd:c8:09:83:e3:03: 01:ea:ff:87:c1:a5:de:ac:9e:a1:14:ec:81:70:56: e9:a1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: critical TLS Web Server Authentication X509v3 Subject Alternative Name: DNS:*.infimantra.com, DNS:infimantra.com X509v3 Subject Key Identifier: C2:4B:A3:D4:BF:99:31:18:23:E7:05:F1:14:11:9E:C2:D6:84:95:1F Signature Algorithm: sha256WithRSAEncryption 79:58:c7:b6:a8:83:b9:de:ce:6a:04:ee:e2:9e:2d:bf:ab:3e: fd:62:53:6f:dd:3b:3a:0f:ce:3a:8f:f3:80:6d:de:45:e5:c2: 4b:61:c2:90:8b:0a:46:96:36:6c:a6:a7:f8:5f:74:d5:f0:22: 98:2d:0b:bc:25:df:3a:53:8e:9a:a0:d7:b6:98:45:29:03:0c: e8:c6:d1:3f:e4:94:03:a4:2c:a4:53:69:2a:a7:f2:da:78:b0: 0e:62:fc:0b:77:15:e7:99:4f:0f:9a:65:2f:24:20:41:70:ad: 4d:c2:42:e9:ad:09:f5:14:11:c9:7d:cf:e7:09:61:a8:3e:0f: 4a:56:bb:2f:d8:74:ac:5d:17:9f:ff:08:41:48:a7:ee:3d:15: 51:73:ce:b6:66:b9:29:77:61:1a:30:e4:3f:e6:76:65:49:df: d4:fc:db:6c:ec:29:61:25:5f:09:aa:b0:5e:0e:e1:56:e6:b7: dc:98:31:a5:75:0f:fe:80:f1:99:92:cd:8a:41:ad:44:17:74: 07:c3:65:90:67:73:7d:ac:b2:0d:f0:93:67:77:a4:1b:d5:d5: d5:58:4e:97:95:f3:ba:8e:82:0d:e2:fd:5d:8c:7e:aa:b2:81: c1:29:47:9d:fa:20:21:48:07:16:65:73:20:e8:6a:49:13:a0: b2:91:7b:05
The certificate is valid till Jul 9 18:05:36 2023 GMT (1 year validity). Similarly, we can also inspect the CA certificate (ca.crt) which is valid for 10 years. Interesting thing to note is the serial file. The value is incremented by 1. Serial Number: 1 (0x1) is for the wildcard client certificate.
$ cat serial 02