This repository contains several OpenSSL CA templates for a two-tiered Certification Authority.
This work is in an alpha stage! A test suite that uses certlint to validate the generated certificates is being worked on (we are hitting some edge cases we need to cross-check). For now, use these templates at your own risk.
-
Open the configuration files and edit them where the comments ask you to do so.
-
Generate the root CA by running the following commands:
mkdir -p root{,/newcerts} echo 01 >root/crlserial echo 01 >root/serial touch root/index{,.attr} ROOTCASERIAL=$(cat /dev/urandom | tr -dc 'A-F0-9' | fold -w 16 | head -n 1) openssl req -config openssl_root_ca.cnf -x509 -newkey rsa:4096 -sha256 -keyout root/rootca.pvk -out root/rootca.cer -days 3650 -set_serial 0x$ROOTCASERIAL -extensions root_ca_extensions openssl x509 -in root/rootca.cer -out root/rootca_der.cer -outform DER -
Generate the intermediate CAs you need by editing the
distinguished_namesetting inopenssl_root_ca.cnfand running the following commands:mkdir -p CANAME{,/newcerts} echo 01 >CANAME/crlserial echo 01 >CANAME/serial touch CANAME/index{,.attr} openssl req -config openssl_root_ca.cnf -new -newkey rsa:4096 -sha256 -keyout CANAME/CANAMEca.pvk -out CANAME/CANAMEca.req cat /dev/urandom | tr -dc 'A-F0-9' | fold -w 16 | head -n 1 >root/serial # Note: manually check that the serial is not already assigned to another certificate in root/index openssl ca -config openssl_root_ca.cnf -in CANAME/CANAMEca.req -out CANAME/CANAMEca.cer -policy root_ca_dn_policy -extensions CAEXTENSIONS openssl x509 -in CANAME/CANAMEca.cer -out CANAME/CANAMEca_der.cer -outform DERReplace
CANAMEandCAEXTENSIONSas follows:For the following CA type... use this CANAME...and these CAEXTENSIONSPersonal certificates, e-mail validation personal-emailvalidatedpersonal-emailvalidated_ca_certificate_extensionsPersonal certificates, individual validation personal-individualvalidatedpersonal-individualvalidated_ca_certificate_extensionsPersonal certificates, organization validation personal-organizationvalidatedpersonal-organizationvalidated_ca_certificate_extensionsWeb server certificates, domain validation webserver-domainvalidatedwebserver-domainvalidated_ca_certificate_extensionsWeb server certificates, individual validation webserver-individualvalidatedwebserver-individualvalidated_ca_certificate_extensionsWeb server certificates, organization validation webserver-organizationvalidatedwebserver-organizationvalidated_ca_certificate_extensionsWeb server certificates, Extended Validation webserver-extendedvalidationwebserver-extendedvalidation_ca_certificate_extensionsCode signing certificates, individual validation codesigning-individualvalidatedcodesigning_ca_certificate_extensionsCode signing certificates, organization validation codesigning-organizationvalidatedcodesigning_ca_certificate_extensionsCode signing certificates, Extended Validation codesigning-extendedvalidationcodesigning-extendedvalidation_ca_certificate_extensionsTime stamping certificates timestampingtimestamping_ca_certificate_extensionsTime stamping certificates, Extended Validation timestamping-extendedvalidationtimestamping_ca_certificate_extensions -
Generate the certificates you need by running the following commands:
openssl req -config CAFILE -new -newkey rsa:4096 -sha256 -keyout PVKPATH.pvk -out REQPATH.req cat /dev/urandom | tr -dc 'A-F0-9' | fold -w 16 | head -n 1 >CANAME/serial # Note: manually check that the serial is not already assigned to another certificate in CANAME/index openssl ca -config CAFILE -name CANAME_ca -in REQPATH.req -out CERPATH.cer -subj 'SUBJECTDN' # Optionally export the newly generated certificate to a PKCS12 file: openssl pkcs12 -export -out PKCS12PATH.p12 -in CERPATH.cer -inkey PVKPATH.pvk -name "FRIENDLYNAME" -certfile CANAME/CANAMEca.cer -caname "FRIENDLYCANAME"Perform the following replacements:
Variable Value CAFILEThe .cnffile containing the configuration for the CA you are usingPVKPATHThe path to the private key file you are generating REQPATHThe path to the certificate request file you are generating CERPATHThe path to the certificate file you are generating PKCS12PATHThe path to the .p12 file you are generating CANAMEThe CA name, see step 2 SUBJECTDNThe DN of the subject you are issuing the certificate to, e.g. /C=IT/O=Sample Organization/CN=Sample Subject. See the policy sections in each.cnffile for the DN fields you will need to include for each certificate typeFRIENDLYNAMEThe "friendly name" for the certificate subject (usually, the CN field of the DN) FRIENDLYCANAMEThe "friendly name" for the CA certificate subject (usually, the CN field of the DN)