Thursday, June 25, 2015

Creating your own CA with OpenSSL and CA.pl

I have recently had an issue where I need to create test certificates for use in unit test.
The files I’m signing needs to be signed by a certificate that is signed by a CA with specific public key.

For this purpose I figure the easiest way to accomplish this is to

Create a CA of my own
Create a certificate for the unit tests
Sign the certificate with using the CA

I will show how I did this using OpenSSL and the CA.pl script that comes with the OpenSSL installation.

Create new CA
CA.pl -newca

 CA certificate filename (or enter to create)

 Making CA certificate ...
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
................++++++
.............++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:test-ca
Email Address []:

 Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from C:\OpenSSL-Win32\bin\openssl.cfg
Loading 'screen' into random state - done
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            ff:65:cb:b3:87:ab:ce:4b
        Validity
            Not Before: Aug 23 08:40:46 2013 GMT
            Not After : Aug 22 08:40:46 2016 GMT
        Subject:
            countryName               = AU
            stateOrProvinceName       = Some-State
            organizationName          = Internet Widgits Pty Ltd
            commonName                = test-ca
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                EA:DE:A5:01:11:76:9A:22:15:33:7E:72:6A:A8:FC:AD:3E:8E:23:9E
            X509v3 Authority Key Identifier:
                keyid:EA:DE:A5:01:11:76:9A:22:15:33:7E:72:6A:A8:FC:AD:3E:8E:23:9E

             X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Aug 22 08:40:46 2016 GMT (1095 days)

 Write out database with 1 new entries

Data Base Updated

 I use all the default options except for the common name and PEM pass phrase.
Creating the test cert
CA.pl -newreq
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
..............................................................++++++
...........................................++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:test-cert
Email Address []:

 Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem

I use all the default options except for the common name and PEM pass phrase.

Sign the test cert with the CA
CA.pl -sign

Using configuration from C:\OpenSSL-Win32\bin\openssl.cfg
Loading 'screen' into random state - done
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            ff:65:cb:b3:87:ab:ce:4c
        Validity
            Not Before: Aug 23 08:47:32 2013 GMT
            Not After : Aug 23 08:47:32 2014 GMT
        Subject:
            countryName               = AU
            stateOrProvinceName       = Some-State
            organizationName          = Internet Widgits Pty Ltd
            commonName                = test-cert
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                99:7F:AD:BE:2F:3C:C5:F4:65:8A:A0:2D:6C:07:23:88:48:25:E5:39
            X509v3 Authority Key Identifier:
                keyid:EA:DE:A5:01:11:76:9A:22:15:33:7E:72:6A:A8:FC:AD:3E:8E:23:9E

 Certificate is to be certified until Aug 23 08:47:32 2014 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem

Now the newcert.pem is signed with the CA

PS. If you use the same common name for the CA and cert you will get this error.
failed to update database
TXT_DB error number 2

Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)