Basic Certificate Authority (CA) instructions

Basic Certificate Authority (CA) instructions

Being a CA is not as cumbersome as you may think. This explanation shows how to do it, with only openssl installed.

CREATE CA

1. echo '01' > demoCA/serial; touch demoCA/index.txt
2. Save ca.cnf and update cRLDistributionPoints.
3. Generate the secret key and the public certificate for your CA.
openssl req -config ca.cnf -extensions ca_cert -sha256 -new -x509 -newkey rsa:2048 -days 3660 -keyout ca-key.pem -out ca-crt.pem
4. Install ca-crt.pem in browsers (CA-cert-install in InCA)

If your self-signed cert is about expire do:
1. openssl x509 -x509toreq -in ca-crt.pem -signkey ca-key.pem -out ca-crt.req
2. mv ca-crt.pem ca-crt.pem.old
3. openssl x509 -req -extfile ca.cnf -extensions ca_cert -sha256 -signkey ca-key.pem -in ca-crt.req -days 3660 -set_serial 0 -out ca-crt.pem

GENERATE USER CERT

1. Make request in browser (user-cert-request in InCA)
2. Mail to CA
3. Install email-cert in browser (user-cert-install if it's your own cert, email-cert-install for other user's certs)

GENERATE SERVER CERT

1. openssl req -config ca.cnf -new -sha256 -noenc -out crt.req -keyout crt.key
or openssl genpkey -algorithm ed25519 -out crt.key and
openssl req -config ca.cnf -new -sha256 -noenc -out crt.req -key crt.key
2. Mail crt.req to CA
3. Move crt.key en signed crt.pem to appropriate files (for example in /etc/httpd/conf/ssl/)
3b. To convert to a p12 cert (Windows) openssl pkcs12 -export -in crt.pem -inkey key.pem -certfile ca-crt.pem -out crt.p12

SIGN CERT

1. Normal request (starts with BEGIN CERTIFICATE REQUEST)
openssl ca -config ca.cnf -extensions client_cert -in crt.req -days 732
  SPKAC request (contains line with SPKAC)
openssl ca -config ca.cnf -extensions client_cert -spkac crt.req -days 732
1b. for SSL servers: SAN=DNS:value1,DNS:value2 openssl ca -config ca-sign.cnf -extensions server_cert -in crt.req -days 732
1c. for OCSP servers: -extensions ocsp_cert
1d. for TSA servers: -extensions tsa_cert
2. Mail 01.pem to user

REVOKE CERT

1.a compromise openssl ca -config ca.cnf -crl_compromise -revoke 01.pem
1.b CA compromise openssl ca -config ca.cnf -crl_CA_compromise -revoke 01.pem
1.c new cert (rekeying) openssl ca -config ca.cnf -crl_reason superseded -revoke 01.pem
1.d cert not relevant anymore openssl ca -config ca.cnf -crl_reason [affiliationChanged,cessationOfOperation] -revoke 01.pem
2. openssl ca -config ca.cnf -gencrl -crldays 183 -out inoaca.crl -crlexts crl_ext
This page is maintained by Frederik Vermeulen.
I nor anyone related to this webserver is responsible or liable for the consequences of using this information.