Creating a private CA and issuing digital certificates

In the previous article, In-depth Understanding of PKI System and Digital Certificate introduced the basic components of PKI system and the main role of CA certification center, as well as the basic standard of X.509 certificate. Today, we continue to apply the theoretical knowledge we have learned to build a set of our own PKI/CA digital certificate trust system.

Digital Certificate Generation Tools

There are two common tools for generating RSA public-private key pairs:

Note: Some cases only need public-private key pairs and do not need digital certificates, such as private SSH services, but for some cases that require authentication, the public key needs to be digitally signed to form a digital certificate.

ssh-keygen
openssl genrsa

In fact, ssh-keygen also uses the library provided by openssl to generate key pairs.

ssh-keygen

For example, to generate a 2048-bit RSA key pair using ssh-keygen, simply execute the following command.

$ ssh-keygen -b 2048 -t rsa -f foo_rsa
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in foo_rsa.
Your public key has been saved in foo_rsa.pub.
The key fingerprint is:
b8:c4:5f:2a:94:fd:b9:56:9d:5b:fd:96:02:5a:7e:b7 user@oasis
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|                 |
|     . +         |
|      * S .  . ..|
|     o o + +. o o|
|      o o *..  oo|
|       . ..o o.oo|
|         .. . oE.|
+-----------------+

where -b specifies the number of key bits, usually 2048 or more, and -t specifies the key type, such as rsa/dsa/ecdsa.

Note: If the key pair is used for ssh, then the private key is conventionally named id_rsa and the corresponding public key is id_rsa.pub, which can then be appended to the remote host’s .ssh/authorized_key trusted list using the ssh-copy-id command.

`1`	`$ ssh-copy-id -i ~/.ssh/id_rsa.pub user@mc-lnx`

The default generated key pair is in RFC 4716/SSH2 format and can be transferred to PEM format for use by other programs.

$ ssh-keygen -f id_rsa.pub -e -m pem
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----

where -m specifies the converted format and supports RFC4716/PKCS8/PEM.

openssl

openssl is a powerful secure socket layer cryptographic library toolkit, the whole package can be roughly divided into three main functional parts.

cryptographic algorithm library
common key and certificate encapsulation management functions
SSL communication API interface
rich applications for testing or other purposes

The following functions can be accomplished using the openssl development kit.

create RSA, DH, DSA key parameters
generate X.509 certificate, certificate signing request (CSR) and CRL (certificate recovery list)
calculate message digest (Digest)
use various Cipher encryption/decryption
SSL/TLS client and server testing
handling S/MIME or encrypted messages

openssl provides many different commands, and each subcommand has many options and parameters, which are not listed in detail here.

Digital certificate generation process

Using openssl this package can complete the CA construction, SSL certificate from generation to issuance of the whole process, when using openssl command, you need to remember the following points.

there are many file extensions in the generation process (.crt, .csr, .pem, .key, etc.), although it is said that the extensions do not have any mandatory binding effect, what is important is which command the file is generated by and what format its content is. The use of these specific file extensions is just to follow certain conventions and specifications that can be understood at a glance.
there is some functional overlap between the commands of openssl, so we will find that the same purpose (e.g. SSL certificate generation) can often be accomplished using seemingly different sets of commands.
the most important thing to understand CA and SSL certificate is not to remember these openssl commands, but to understand the operation mechanism of CA and the function of openssl commands, so as to understand the whole process from the principle.

Create CA root certificate

CA root certificate is an important part of PKI system. To establish a tree-like trusted system, firstly, CA itself needs to show its identity and establish the root of the tree, and other intermediate certificates rely on the root to issue certificates and establish trust relationship with each other through the root certificate. CA certificate is composed of private key (Root Key) and public key (Root Cert). CA root certificate does not directly issue server certificate and client certificate, but is only used to issue one or more intermediate certificates, and the intermediate certificate issues certificates to users and servers as proxy of CA root certificate. At the same time, in order to ensure the reliability of CA root certificate, the private key (Root Key) corresponding to CA root certificate should be offline and safely stored.

1. Create the private key storage directory for the CA root certificate

Select a directory for storing all private and public keys.

`1`	`$ mkdir /root/ca`

Create a directory structure that generates index.txt and serial files, which are used as a file database to track previously issued certificates.

$ cd /root/ca
$ mkdir certs crl newcerts private
$ chmod 700 private
$ touch index.txt
$ echo 1000 > serial

certs holds the issued certificates
newcerts holds the new certificate generated by the CA
private for private keys
crl for revoked certificates
index.txt Defines the text database file for certificates issued using openssl, which is usually empty when initialized
serial The serial number reference file used when issuing the certificate, the serial number in this file is a hexadecimal number and must be provided and include a valid serial number when initializing

2. Create the profile for the CA root certificate

Create a configuration file for the CA root certificate for openssl, saved in /root/ca/openssl.cnf, where the [ ca] section is required to tell openssl the configuration information to use for the root certificate.

1
2
3

[ ca ]
# `man ca`
default_ca= CA_default

Configure the base information for the root certificate in the [ CA_default ] section.

[ CA_default ]
# Directory and file locations.
dir               = /root/ca
certs             = $dir/certs
crl_dir           = $dir/crl
new_certs_dir     = $dir/newcerts
database          = $dir/index.txt
serial            = $dir/serial
RANDFILE          = $dir/private/.rand
 
# The root key and root certificate.
private_key       = $dir/private/ca.key.pem
certificate       = $dir/certs/ca.cert.pem
 
# For certificate revocation lists.
crlnumber         = $dir/crlnumber
crl               = $dir/crl/ca.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30
 
# SHA-1 is deprecated, so use SHA-2 instead.
default_md        = sha256
 
name_opt          = ca_default
cert_opt          = ca_default
default_days      = 375
preserve          = no
policy            = policy_strict

Create a root certificate signing policy to be used as the root certificate for issuing intermediate CA certificates only.

[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

Create a relatively loose certificate signing policy for the intermediate CA certificate, and the intermediate CA certificate can issue certificates for third-party end users and servers.

[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

The [ req] section mainly defines the default options when creating certificates and certificate requests.

[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only
 
# SHA-1 is deprecated, so use SHA-2 instead.
default_md          = sha256
 
# Extension to add when the -x509 option is used.
x509_extensions     = v3_ca

The [ req_distinguished_name ] section defines information descriptions and default values commonly used when generating certificate requests.

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address
 
# Optionally, specify some defaults.
countryName_default             = GB
stateOrProvinceName_default     = England
localityName_default            =
0.organizationName_default      = Alice Ltd
#organizationalUnitName_default =
#emailAddress_default           =

In openssl, in addition to configuring the basic necessary information, there are a number of extensible options available for certificate issuance.

[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

Define the extended options for intermediate CA certificate issuance, where pathlen:0 is to ensure that the intermediate CA certificate cannot issue new intermediate CA certificates.

[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

The [ user_cert] section constrains the policy for issuing client certificates, which are typically used for user authentication.

[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection

In the [ server_cert ] section, the certificate issuance policy when issuing server certificates is defined.

[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

The [ crt_ext ] section is used to define the policy when creating a certificate revocation list CRL.

1
2
3

[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always

Define the online certificate usage policy ocsp .

[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning

3. Create root certificate private key

The generated root certificate private key must be absolutely secure and protected with aes-256 encryption and a strong cipher.

$ cd /root/ca
$ openssl genrsa  -aes256 -out private/ca.key.pem 4096
Enter pass phrase for ca.key.pem: secretpassword 
Verifying - Enter pass phrase for ca.key.pem: secretpassword

$ chmod 400 private/ca.key.pem

genrsa Generate the private key using RSA algorithm
-aes256 encrypt the private key using the AES algorithm with a 256-bit key
-out output file directory
-4096 Specify the length of the key

4. Create root certificate

Create a root certificate (ca.cert.pem) using the root certificate private key (ca.key.pem). You need to specify a long validity period for the root certificate; once the root certificate expires, all its issued certificates will be unusable. When using the req command, you must specify a configuration file with -config, otherwise the program defaults to the /etc/pki/tls/openssl.cnf configuration file.

$ cd /root/ca
openssl req -config openssl.cnf -key private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem
Enter pass phrase for ca.key.pem: secretpassword
You are about to be asked to enter information that will be incorporated
into your certificate request.
-----
Country Name (2 letter code) [XX]:GB
State or Province Name []:England
Locality Name []:
Organization Name []:Alice Ltd
Organizational Unit Name []:Alice Ltd Certificate Authority
Common Name []:Alice Ltd Root CA
Email Address []:
$ chmod 444 certs/ca.cert.pem

5. Validate the issued root certificate

`1`	`$ openssl x509 -noout -text -in certs/ca.cert.pem`

The following information needs to be confirmed.

Confirmation of the signature algorithm used in Signature Algorithm
Confirm the validity of the certificate in Validity
Confirm the length of the Public-Key
Confirm the issuer information described by Issuer
Confirm the certificate holder information specified by Subject, but note that the root certificate is a self-signed certificate, so Subject is the same as Issuer information

6. Create intermediate CA certificate key pair

Intermediate CA certificate is used to issue client certificate and server certificate instead of root certificate, and root certificate is responsible for issuing intermediate CA certificate and maintaining the trusted certificate chain. The use of intermediate certificate is mainly for security consideration because the private key of the root certificate corresponding to the root certificate always handles physical isolation and can guarantee the absolute security of the private key, and after the leakage of the private key of the intermediate CA certificate, the certificate can be revoked by the root certificate and a new intermediate certificate key pair can be reissued.

7. Create intermediate CA certificate directory structure

As with the root certificate class, we need to create a directory for the intermediate CA certificate to store the certificate. Here we save all the contents of intermediate certificate under /root/ca/intermediate directory and create a directory structure similar to the root certificate.

$ mkdir /root/ca/intermediate
$ cd /root/ca/intermediate
$ mkdir certs crl newcerts private
$ chmod 700 private
$ touch index.txt
$ echo 1000 > serial

Under the intermediate CA certificate directory, create a new text file named crlnumber to save the certificate revocation list.

`1`	`$ echo 1000 > /root/ca/intermediate/crlnumber`

Create the issuing configuration file of intermediate CA certificate and save the configuration file of intermediate CA certificate in /root/ca/intermediate/openssl.cnf, which modifies the saving directory of certificate compared with the root certificate configuration file.

[ CA_default ]
dir             = /root/ca/intermediate
private_key     = $dir/private/intermediate.key.pem
certificate     = $dir/certs/intermediate.cert.pem
crl             = $dir/crl/intermediate.crl.pem
policy          = policy_loose

The complete configuration file reads as follows.

# OpenSSL intermediate CA configuration file.
# Copy to `/root/ca/intermediate/openssl.cnf`.
 
[ ca ]
# `man ca`
default_ca = CA_default
 
[ CA_default ]
# Directory and file locations.
dir               = /root/ca/intermediate
certs             = $dir/certs
crl_dir           = $dir/crl
new_certs_dir     = $dir/newcerts
database          = $dir/index.txt
serial            = $dir/serial
RANDFILE          = $dir/private/.rand
 
# The root key and root certificate.
private_key       = $dir/private/intermediate.key.pem
certificate       = $dir/certs/intermediate.cert.pem
 
# For certificate revocation lists.
crlnumber         = $dir/crlnumber
crl               = $dir/crl/intermediate.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30
 
# SHA-1 is deprecated, so use SHA-2 instead.
default_md        = sha256
 
name_opt          = ca_default
cert_opt          = ca_default
default_days      = 375
preserve          = no
policy            = policy_loose
 
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
 
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
 
[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only
 
# SHA-1 is deprecated, so use SHA-2 instead.
default_md          = sha256
 
# Extension to add when the -x509 option is used.
x509_extensions     = v3_ca
 
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address
 
# Optionally, specify some defaults.
countryName_default             = GB
stateOrProvinceName_default     = England
localityName_default            =
0.organizationName_default      = Alice Ltd
organizationalUnitName_default  =
emailAddress_default            =
 
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
 
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
 
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
 
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
 
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always
 
[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning

8. Generate intermediate CA certificate private key

Create intermediate certificate private key, encrypted with AES-256.

1
2
3

$ cd /root/ca
$ openssl genrsa -aes256 -out intermediate/private/intermediate.key.pem 4096
$ chmod 400 intermediate/private/intermediate.key.pem

9. Generate intermediate CA certificate signing request

Use intermediate.key.pem for generating intermediate CA certificate signing request and use the root certificate to sign the certificate at the same time. Note that Common Name cannot be duplicated. If you use intermediate CA to issue server certificate and client certificate, you need to specify the configuration file intermediate/openssl.cnf.

1
2

$ cd /root/ca
$ openssl req -config intermediate/openssl.cnf -new sha256 -key intermediate/private/intermediate.key.pem -out intermediate/csr/intermediate.csr.pem

10. Use root certificate to generate intermediate CA certificate

Use the root certificate to issue the intermediate CA certificate and specify the v3_intermediate_ca extended attribute for it to issue the certificate and confirm the use of openssl.cnf of the root certificate to issue the intermediate certificate, and note that the expiration date of the intermediate CA certificate is shorter than that of the root certificate.

1
2
3

$ cd /root/ca
$ openssl ca -config openssl.cnf -extenstions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate/csr/intermediate.csr.pem -out intermediate/certs/intermediate.cert.pem
$ chmod 444 intermediate/certs/intermediate.cert.pem

Note: index.txt is the file database of openssl, do not modify or delete the file directly.

11. Verify the content of intermediate CA certificate

`1`	`$ openssl x509 -noout -text -in intermediate/certs/intermediate.cert.pem`

Use the root certificate to verify the certificate chain trust relationship of the intermediate certificate, OK means the certificate chain is trusted.

1
2

$ openssl verify -CAfile certs/ca.cert.pem intermediate/certs/intermediate.cert.pem
intermediate.cert.pem: OK

12. Create certificate chain file

When an application attempts to verify the validity of an issued certificate, it attempts to verify the intermediate CA certificate and the parent root certificate. In the certificate chain file, both the root certificate and the intermediate certificate must be included, because the client does not know the root certificate of the intermediate CA certificate used to issue the certificate, and the root certificate can be imported to the trusted root certificate authority in all clients that need access, so that the certificate issued by that CA is fully trusted and only the intermediate CA certificate is specified in the certificate chain file.

1
2

$ cat intermediate/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem
$ chmod 444 intermediate/certs/ca-chain.cert.pem

Issuing server certificates and client certificates

Next, we will use the intermediate CA certificate to issue a certificate for the server, which is used to encrypt the data communication between the server and the client. If a certificate issuance request (CSR) has already been created at the server using openssl, the process of creating the private key for the server certificate can be skipped.

1. Create server certificate private key

In the creation of intermediate CA certificate and root certificate, 4096bit cipher encryption is used, and server and client certificates are generally valid for several years, and 2048bit encryption can be used. Although 4096bit cipher is more secure, it will slow down the access speed when the server performs TLS handshake and digital signature verification, so it is generally recommended to use 2048Bit cipher encryption for web servers. If you set a password when you create a private key, you will need to provide this password every time the service restarts, so it is not recommended to set password protection for server certificates, and you can use the aes256 cryptographic algorithm for encryption.

1
2
3

$ cd /root/ca
$ openssl genrsa -aes256 -out intermediate/private/mc.cn.key.pem 2048
$ chmod 400 intermediate/private/mc.cn.key.pem

2. Create a server certificate issuance request

Use the created server private key to generate certificate issuance request. The csr file of certificate issuance request does not need to specify intermediate CA certificate authority, but must specify Common Name, which is usually domain name or IP address.

1
2

$ cd /root/ca
$ openssl req -config intermediate/openssl.cnf -new -sha256 -days 365 -key intermediate/private/mc.cn.key.pem -out intermediate/csr/mc.cn.csr.pem

3. Create a server certificate from a certificate issuance request

$ cd /root/ca
$ openssl ca -config intermediate/openssl.cnf \
      -extensions server_cert -days 375 -notext -md sha256 \
      -in intermediate/csr/mc.cn.cert.pem \
      -out intermediate/certs/mc.cn.cert.pem 
$ chmod 444 intermediate/certs/mc.cn.cert.pem

Note: When issuing a certificate, the -extensions option is used to specify the type of certificate to be issued, usually server_cert for server certificates and usr_cert for client certificates. After the certificate is issued, a new record will be added to the intermediate/index.txt file.

4. View issued certificates

`1`	`$ openssl x509 -noout -text -in intermediate/certs/mc.cn.cert.pem`

Use CA certificate chain to verify the trust relationship of the issued certificate.

`1`	`$ openssl verify -CAfile intermediate/certs/ca-chain.cert.pem intermediate/certs/mc.cn.cert.pem`

5. Deployment Certificates

After the certificate is issued, the certificate can be deployed on the application server.

Summary

At this point, we have completed the whole process of creating private certificate center, intermediate certificate, certificate chain and issuing digital certificate. In actual use, we will also face the problem of certificate expiration rotation, including the renewal of application certificate, intermediate certificate and root certificate. For the application certificate and intermediate certificate rotation update is not a big problem, the main thing is how to update the root certificate, because once the root certificate is updated, so the certificates based on the root certificate should be updated. When performing root certificate update, the certificate center generates a new pair of secret key pair and root certificate, and then uses the new private key to generate an intermediate certificate for the old public key signature, and uses the old private key to generate another intermediate certificate for the new public key signature. In this way, both the new root certificate and the intermediate certificate issued by the old root certificate can be used normally during the update, thus realizing a smooth upgrade transition of the old and new root certificates.

Table of Contents