Revision as of 03:28, 6 November 2011

CA
What:
0x20 Certificate Authority CA
Participants:
Jaroslov
Locations:
Whitespace
Tweet

0x20 Certificate Authority

• CA with OpenSSL
  • all flat files in 1 directory
  • can easily be stored/transported on an encrypted filesystem
• Used for OpenVPN authentication

openssl.cnf

Check the openssl.cnf file with the 0x20 specific values:

• root ca is valid for 15 years
• certificates are valid for 5 years
• DN: C=BE, ST=Ghent, L=Whitespace, O=0x20, CN=0x20 root ca
• nsCaRevocationUrl = http://www.0x20.be/ca-0x20-crl.pem
• extendedKeyUsage=serverAuth (server certs)
• extendedKeyUsage=clientAuth (client certs)

Create a CA

• based on http://www.freebsdmadeeasy.com/tutorials/freebsd/create-a-ca-with-openssl.php

$ openssl req -new -x509 -days 5475 -newkey rsa:4096 -extensions v3_ca -keyout \ 
private/ca-0x20-key.pem -out ca-0x20-cert.pem -config ./openssl.cnf

Sign server cert

• Change openssl.cnf to server settings:

$ vi ./openssl.cnf
nsCertType = server
extendedKeyUsage=serverAuth

• If needed create the key and the csr (certificate signing request):

$ openssl genrsa -aes256 -out 0x20-servername.key 2048
$ openssl req -new -key 0x20-servername.key -nodes -out 0x20-servername.csr

• Sign the certificate:

$ openssl ca -in 0x20-servername.csr -cert ca-0x20-cert.pem -keyfile \
 private/ca-0x20-key.pem -out 0x20-servername.cert -config ./openssl.cnf

• check index.txt (= the CA db)

Create a CRL

$ openssl ca -gencrl -out crl/crl.pem -config ./openssl.cnf

• (first time you need to populate the crlnumber file: $ echo "01" > crlnumber)

Revoke a certificate

• Check the certificates in newcerts/
• Revoke the needed one:

$ openssl ca -revoke newcerts/1000.pem -config ./openssl.cnf

• distribute the crl where needed.