OpenSSL Certificate Authority Setup

CA Setup | Exporting CA Certificate | Certificate Creation | Certificate Revocation

How to create a local Certificate Authority (CA) using OpenSSL. In contrast to commercial third party CA providers, a local CA is free, and ideal for services not offered to the public. Consider also the free certificate provider, cacert.org.

The custom root CA certificate must be installed on each client system that will use the service. If only internal systems with automated configuration need be supported, installing a custom root certificate is trivial. When many unmanaged systems are involved, purchase certificates from a commercial third party CA.

The level of security for a custom CA depends on the site and what the encryption is being used to protect. A personal site could simply store the CA in an encrypted file. A larger organization with different subgroups should consider a CA for each subgroup (accounting, development, public systems) on different systems, at minimum.

Certificates must be checked for expiration, to avoid at best browser warnings, and at worst service outages due to expired certificates.

MD5 considered harmful today: Creating a rogue CA certificate details the need to pick, if possible, the strongest cryptographic hash routine possible, and to ensure that old CA certificates are retired after some years.

CA Setup

Creation requires the openssl utility, part of OpenSSL.

$ which openssl
/usr/bin/openssl

  1. Create directory to hold CA support files.
  2. Using a custom area for each CA prevents vendor updates from modifying the configuration and scripts used, and allows customization as required on a per-CA basis.

    The example CA for sial.org is located on an encrypted 512K Unix File System (UFS) disk image created with Disk Copy on Mac OS X. Alternatives include encrypting a tarball of the CA directory with openssl or gpg, and decrypting/unpacking and packing/encrypting as needed.

    # cd /Volumes/sial-ca
    # chmod 700 .

  3. Setup Makefile, openssl.cnf.
  4. Download and customize these files to suit the needs of the CA in question, then run the following to setup the required files and directories.

    Currently, the Makefile and custom openssl.cnf configuration file can only generate a CA, and sign certificate signing requests for certificates, and revoke signed certificates. Certificate Signing Requests (CSR) must be generated using a different openssl.cnf, such as the system-wide one.

    Options must be customized before running the following command, especially the days the various certificates will last for and the x509 attributes (commonName, among others) used in certificates. If running OpenSSL before 0.9.8a, change the -newkey rsa:2048 option to -newkey rsa.

    # make init
    Generating a 2048 bit RSA private key
    .+++
    ...................................................+++
    writing new private key to './private/ca-key.pem'
    -----

    This should create a number of new files and directories that the CA needs to operate properly.

    # ls
    Makefile crl newcerts private
    ca-cert.pem index openssl.cnf serial

    Usually a password is used on the CA private key (stored here in private/ca-key.pem); however, for my needs a single password on the encrypted disk image works well enough, as the system in question is used only by me. To encrypt the private key file, remove the -nodes argument from the openssl command under the init rule in the Makefile before running make init.

Exporting CA Certificate

The CA certificate must be installed on all client systems that will be interacting with certificates signed by the custom CA certificate. The make init step saves this CA certificate data into the ca-cert.pem file by default.

Notes on exporting certificates to clients are available. The Simple SCEP client for Unix (SSCEP) may be worth investigating for the secure issuance of certificates to networked devices.

Certificate Creation

A CA signs CSR sent by clients to produce a certificate. The certificate is returned to the client for use by the application in question.

The Makefile expects CSR to be saved so that they end with *.csr. I use the hostname.csr format, where hostname is the fully qualified hostname used as the common name x509 attribute.

$ cd /Volumes/sial-ca
$ cp /path/to/new-csr mail.example.org.csr
$ ls *.csr
mail.example.org.csr
$ make sign
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok

$ ls mail.example.org*
mail.example.org.cert

The resulting mail.example.org.cert should be returned to the client, and also saved for future use, such as certificate revocation. Certificates are stored under the newcerts directory, though with filenames based on the serial number, not the requesting host.

If, when signing a new request for a host a previous certificate was signed for, OpenSSL fails with an error similar to the following, either set the unique_subject = no option in openssl.cnf (or index.attr), or first revoke the old certificate.

failed to update database
TXT_DB error number 2

Certificate Revocation

If a particular certificate is no longer to be trusted, it can be revoked by the CA. Revocation itself is easy; the hard part is distributing the revocation list to all client applications that use the CA certificate.

A CA should save certificates it signs under the CA directory to ease revocation. Saving the certificates as hostname.cert is one way to do this; a copy of the certificate is also saved under newcerts, though is named after the serial number.

$ openssl x509 -noout -fingerprint < mail.example.org.cert
MD5 Fingerprint=1C:74:0F:3B:43:7C:F6:82:9F:1B:FF:C0:DA:37:E4:77
$ openssl x509 -noout -fingerprint < newcerts/01.pem
MD5 Fingerprint=1C:74:0F:3B:43:7C:F6:82:9F:1B:FF:C0:DA:37:E4:77

  1. Revoke Certificate.
  2. To revoke a certificate using the Makefile, use the following command.

    $ make revoke cert=mail.example.org.cert
    Using configuration from openssl.cnf
    Revoking Certificate 01.
    Data Base Updated
    Using configuration from openssl.cnf

    If the certificate only exists under the newcerts directory:

    $ make revoke cert=newcerts/06.pem

  3. Publish the Certificate Revocation List (CRL).
  4. The make revoke command also saves the updated CRL to the ca-crl.pem file. The contents of this file must be distributed and used by all client applications use the CA in question.