CA
From Whitespace (Hackerspace Gent)
(Difference between revisions)
| Line 45: | Line 45: | ||
</pre> | </pre> | ||
* check index.txt (= the CA db) | * check index.txt (= the CA db) | ||
| + | |||
| + | == Sign client cert == | ||
| + | * Change openssl.cnf to client settings: | ||
| + | <pre> | ||
| + | $ vi ./openssl.cnf | ||
| + | nsCertType = client, email | ||
| + | extendedKeyUsage=clientAuth | ||
| + | </pre> | ||
| + | * Sign the certificate: | ||
| + | <pre> | ||
| + | $ openssl ca -in 0x20-client.csr -cert ca-0x20-cert.pem -keyfile \ | ||
| + | private/ca-0x20-key.pem -out 0x20-client.cert -config ./openssl.cnf | ||
| + | </pre> | ||
== Create a CRL == | == Create a CRL == | ||
Revision as of 15:46, 11 April 2012
| CA |
|---|
|
| What: |
| 0x20 Certificate Authority CA |
| Participants: |
| Jaroslov |
| Locations: |
| Whitespace |
|
Contents |
0x20 Certificate Authority
- CA with OpenSSL
- all flat files in 1 directory
- can easily be stored/transported on an encrypted filesystem
- Used for OpenVPN authentication
openssl.cnf
Check the openssl.cnf file with the 0x20 specific values:
- root ca is valid for 15 years
- certificates are valid for 5 years
- DN: C=BE, ST=Ghent, L=Whitespace, O=0x20, CN=0x20 root ca
- nsCaRevocationUrl = http://www.0x20.be/ca-0x20-crl.pem
- extendedKeyUsage=serverAuth (server certs)
- extendedKeyUsage=clientAuth (client certs)
Create a CA
$ openssl req -new -x509 -days 5475 -newkey rsa:4096 -extensions v3_ca -keyout \ private/ca-0x20-key.pem -out ca-0x20-cert.pem -config ./openssl.cnf
Sign server cert
- Change openssl.cnf to server settings:
$ vi ./openssl.cnf nsCertType = server extendedKeyUsage=serverAuth
- If needed create the key and the csr (certificate signing request):
$ openssl genrsa -aes256 -out 0x20-servername.key 2048 $ openssl req -new -key 0x20-servername.key -nodes -out 0x20-servername.csr
- Sign the certificate:
$ openssl ca -in 0x20-servername.csr -cert ca-0x20-cert.pem -keyfile \ private/ca-0x20-key.pem -out 0x20-servername.cert -config ./openssl.cnf
- check index.txt (= the CA db)
Sign client cert
- Change openssl.cnf to client settings:
$ vi ./openssl.cnf nsCertType = client, email extendedKeyUsage=clientAuth
- Sign the certificate:
$ openssl ca -in 0x20-client.csr -cert ca-0x20-cert.pem -keyfile \ private/ca-0x20-key.pem -out 0x20-client.cert -config ./openssl.cnf
Create a CRL
$ openssl ca -gencrl -out crl/crl.pem -config ./openssl.cnf
- (first time you need to populate the crlnumber file: $ echo "01" > crlnumber)
Revoke a certificate
- Check the certificates in newcerts/
- Revoke the needed one:
$ openssl ca -revoke newcerts/1000.pem -config ./openssl.cnf
- distribute the crl where needed.
