Paul Ligocki

Create OpenSSL CA (Certificate Authority) for Dev/Test Purposes

How to create a non production highly insecure CA for dev/test purposes.

Create Basic Framework

touch openssl-ca.cnf openssl-client.cnf index.txt serial.txt
echo ’01’ > serial.txt

There should now be 4 files

  1. index.txt
  2. openssl-ca.cnf
  3. openssl-client-cnf
  4. serial.txt

CA Config File

Edit openssl-ca.cnf: Copy and Paste the following minimal config.
Full config can be found at usr/lib/openssl.cnf

HOME            = .
RANDFILE        = $ENV::HOME/.rnd

####################################################################
[ ca ]
default_ca    = CA_default      # The default ca section

[ CA_default ]

default_days  = 10000        # How long to certify for

base_dir      = .
certificate   = $base_dir/cacert.pem   # The CA certifcate
private_key   = $base_dir/cakey.pem    # The CA private key
new_certs_dir = $base_dir              # Location for new certs after signing
database      = $base_dir/index.txt    # Database index file
serial        = $base_dir/serial.txt   # The current serial number

unique_subject = no  # Set to 'no' to allow creation of
                     # several certificates with same subject.

default_crl_days = 30           # How long before next CRL
default_md       = sha256       # Use public key default MD
preserve         = no           # Keep passed DN ordering

x509_extensions = ca_extensions # The extensions to add to the cert

email_in_dn     = no            # Don't concat the email in the DN
copy_extensions = copy          # Required to copy SANs from CSR to cert

####################################################################
[ req ]
default_bits       = 4096
default_keyfile    = cakey.pem
distinguished_name = ca_distinguished_name
x509_extensions    = ca_extensions
string_mask        = utf8only

####################################################################
[ ca_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default = TH

stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = Bangkok

localityName                = Locality Name (eg, city)
localityName_default        = Bangkok

organizationName            = Organization Name (eg, company)
organizationName_default    = Test CA Pty Ltd

organizationalUnitName         = Organizational Unit (eg, division)
organizationalUnitName_default = Server Security Research Department

commonName         = Common Name (e.g. server FQDN or YOUR name)
commonName_default = Test CA

emailAddress         = Email Address
emailAddress_default = test@example.com

####################################################################
[ ca_extensions ]

subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints       = critical, CA:true
keyUsage               = keyCertSign, cRLSign

####################################################################
[ signing_policy ]
countryName            = optional
stateOrProvinceName    = optional
localityName           = optional
organizationName       = optional
organizationalUnitName = optional
commonName             = supplied
emailAddress           = optional

####################################################################
[ signing_req ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints       = CA:FALSE
keyUsage               = digitalSignature, keyEncipherment

Client Config File

Edit openssl-client.cnf: Copy and Paste the following minimal config.

HOME            = .
RANDFILE        = $ENV::HOME/.rnd

####################################################################
[ req ]
default_bits       = 2048
default_keyfile    = clientkey.pem
distinguished_name = server_distinguished_name
req_extensions     = server_req_extensions
string_mask        = utf8only

####################################################################
[ server_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default = TH

stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = BKK

localityName         = Locality Name (eg, city)
localityName_default = Bangkok

organizationName            = Organization Name (eg, company)
organizationName_default    = Test CA Pty Ltd

commonName           = Common Name (e.g. server FQDN or YOUR name)
commonName_default   = Test Client

emailAddress         = Email Address
emailAddress_default = test@example.com

####################################################################
[ server_req_extensions ]

subjectKeyIdentifier = hash
basicConstraints     = CA:FALSE
keyUsage             = digitalSignature, keyEncipherment
subjectAltName       = @alternate_names
nsComment            = "OpenSSL Generated Certificate"

####################################################################
[ alternate_names ]

DNS.1  = test
DNS.2  = test.example.com

There shoud be 4 files

  • index.txt (Empty)
  • openssl-ca.cnf (Certificate Authority Config)
  • openssl-client.cnf (Client Config)
  • serial.txt (01 This cn be any number)

CA: Create Private Key & Self Signed Certificate

openssl req -x509 -config openssl-ca.cnf -newkey rsa:4096 -sha256 -nodes -out cacert.pem -outform PEM -days 3600
Generating a RSA private key
……………………………………………………………….++++
…………………………………………………………………………………++++
writing new private key to 'cakey.pem'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [TH]:
State or Province Name (full name) [Bangkok]:
Locality Name (eg, city) [Bangkok]:
Organization Name (eg, company) [Test CA Pty Ltd]:
Organizational Unit (eg, division) [Server Security Research Department]:
Common Name (e.g. server FQDN or YOUR name) [Test CA]:
Email Address [test@example.com]:

Remember this is a highly insecure dev test CA.

  • -nodes flags omits the password requirement.
  • – days makes the cert expire in 10 years

There should now to two more files

  1. cacert.pem (Self Signed Certificate)
  2. cakey.pem (CA Private Key) (WITHOUT A PASSWORD)

Inspect the CA Self Signed Certificate

openssl x509 -in cacert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
6e:a4:73:ff:a6:73:a6:94:0b:8a:2b:25:31:69:ff:3c:ca:87:e1:b9
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = TH, ST = Bangkok, L = Bangkok, O = Test CA Pty Ltd, OU = Server Security Research Department, CN = Test CA, emailAddress = test@example.com
Validity
Not Before: Apr 12 00:26:20 2020 GMT
Not After : Feb 19 00:26:20 2030 GMT
Subject: C = TH, ST = Bangkok, L = Bangkok, O = Test CA Pty Ltd, OU = Server Security Research Department, CN = Test CA, emailAddress = test@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:bb:17:78:95:94:15:fe:76:6f:85:c1:a1:21:f8:
31:ea:13:f5:6e:32:bb:4f:f6:7d:23:5f:2e:4b:a0:
07:6c:d5:61:26:63:29:c3:3d:be:3e:37:a0:aa:5e:
43:f6:02:d5:a4:70:c2:db:be:01:53:59:19:88:53:
fc:aa:e3:c2:cb:0f:19:bb:ff:95:08:87:e3:91:92:
c5:83:5a:f0:90:5d:cd:ac:cd:95:c5:15:2a:0f:8d:
f0:57:82:66:0a:0f:3c:e8:bb:ee:f6:0d:5f:66:71:
00:57:ff:c5:aa:04:ea:dd:e4:aa:7f:91:b6:a1:3d:
a2:3c:e6:16:9f:f9:25:c2:d9:b0:df:4c:83:24:4b:
c8:69:69:0f:5e:d2:ab:b2:83:d5:72:9b:62:48:e5:
9b:87:4c:4b:4f:50:30:fe:64:a1:8a:e6:0a:c6:63:
42:81:f9:29:4e:69:e2:bb:0a:40:63:12:a8:3a:dc:
42:64:76:7d:fc:9d:5b:c5:c3:91:27:38:a5:b1:bd:
6c:df:7b:a5:80:d9:d5:51:4d:c1:df:dc:36:01:72:
f3:2a:8d:0f:b1:35:18:09:a0:ae:c2:e0:15:33:78:
6e:6e:c2:c5:83:c4:c1:ac:61:63:5e:2c:4e:1b:91:
3b:02:5d:95:80:3c:d8:d5:24:eb:ef:d9:e3:24:52:
64:67:25:a0:8a:6b:2b:2f:8f:b7:66:c6:a4:f0:6a:
47:c3:40:97:9b:17:dc:6a:26:15:18:f8:b6:83:69:
56:4f:ba:7d:9b:82:69:fd:10:53:9c:26:dd:a9:77:
7e:72:f5:51:55:5a:32:60:15:14:41:0b:47:47:63:
66:31:c2:95:ca:4a:e3:17:4d:19:af:38:f3:d1:0d:
11:28:17:ad:84:79:0b:99:5e:f1:91:c2:79:ab:c1:
9b:4c:22:69:09:0f:cc:5b:df:1f:b9:b4:55:86:79:
6d:46:55:3b:6e:ab:1c:bf:35:05:5a:83:24:0d:23:
17:a4:dd:9b:73:07:2c:ee:c5:0f:e2:57:1c:71:cc:
99:a1:6a:1f:8e:84:bb:d9:b5:84:9d:c5:07:bf:2b:
ed:67:8c:c5:18:19:e6:6c:a8:65:93:48:88:8a:79:
4f:2d:74:3c:25:cb:30:40:bf:d3:cd:c4:5a:c7:4f:
be:e8:5a:ea:77:b2:8b:7f:37:20:17:82:c5:03:4d:
89:9c:6f:c3:07:2d:b5:6c:46:7c:51:90:f7:8d:64:
b4:fa:56:79:bf:5d:be:bd:9f:1a:f2:eb:a9:c6:96:
97:0a:ea:f7:ae:10:b9:c3:2c:95:f5:df:4b:77:95:
2e:d0:6c:9a:72:59:48:26:8f:7d:ed:4b:96:6a:58:
fe:5f:41
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
31:BC:1C:CD:D0:A4:B7:04:1A:72:E5:E0:A9:C1:72:CF:91:B6:B2:71
X509v3 Authority Key Identifier:
keyid:31:BC:1C:CD:D0:A4:B7:04:1A:72:E5:E0:A9:C1:72:CF:91:B6:B2:71
X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: Certificate Sign, CRL Sign Signature Algorithm: sha256WithRSAEncryption 58:df:65:c2:d0:8e:2b:2b:66:6e:78:51:3e:55:e7:ae:55:1c: b8:d3:c2:c8:1a:bf:2b:15:ad:c4:c8:c4:d1:33:3d:be:f0:5d: e9:6e:6a:94:ff:60:30:f6:4a:3d:12:04:9f:9e:30:d8:6f:20: bb:1c:f6:99:ca:02:4e:52:38:c1:b0:35:9f:cd:6f:3a:1e:ed: 0f:5d:73:69:a5:42:6e:38:e6:4d:c1:7b:44:60:a8:3a:32:21: ff:0f:a3:5a:03:48:05:f6:19:3a:9b:23:55:0d:f4:73:d8:dc: bc:2f:79:7d:eb:2f:ba:bf:26:27:fd:15:76:98:50:c9:d7:1b: cd:d3:04:74:ff:49:b5:ea:fa:54:c8:de:21:2b:9a:67:96:d2: 28:1d:d0:f5:96:f4:bf:d4:e2:19:88:ba:4c:83:e0:59:f8:76: 81:85:d9:51:a5:f1:cc:1c:fa:7c:fb:83:c4:2a:b5:33:8f:29: 22:3b:e9:62:15:26:22:a4:e7:12:77:ce:09:d7:11:d0:71:92: 46:e8:cd:16:dc:c6:ee:96:d8:56:38:7d:3f:27:a1:76:99:fc: ce:01:da:34:4a:1d:5a:d6:eb:f3:05:ff:6b:51:91:93:bf:9f: 71:2b:3d:1c:dc:e7:2b:e8:0d:b3:ca:39:64:2f:fb:3c:5b:80: d2:51:e2:16:ba:b4:1d:67:57:2d:cf:17:62:4d:19:15:e7:de: 4b:bb:e1:27:ac:76:0b:77:16:c4:be:f2:60:97:87:e1:db:eb: cd:11:d8:9b:9c:d0:d0:83:77:29:65:c2:b6:e0:f0:59:95:f4: 99:27:f5:d5:59:23:6b:31:12:99:ed:f3:59:a6:a4:f6:b0:90: 1b:59:4b:c7:c5:72:81:90:ae:ce:69:a9:81:21:ad:5e:1e:3a: 11:e0:ea:1c:61:f6:df:11:de:5a:6b:a0:97:06:b6:ab:3c:f5: b8:bb:22:05:e6:d5:00:1e:b4:51:e3:e2:18:ba:00:97:31:b8: d3:e8:06:50:61:b2:20:fd:db:6c:5d:3e:9e:0c:5b:4d:a8:fe: 29:73:a7:99:8d:d8:9b:28:49:ee:e8:78:cc:65:26:4f:fb:cd: 6b:d1:b1:1b:db:bc:8c:f3:11:2a:27:0a:45:01:c0:69:fa:53: 30:2c:0a:ed:2a:41:a6:a7:92:df:aa:c1:e3:3d:1c:fd:b6:7e: 82:38:b2:67:7b:56:59:4c:35:58:cb:17:b9:ae:2a:48:33:7b: 80:41:05:b9:10:31:8d:5b:aa:a4:cc:6f:5b:b8:bc:9d:c3:72: 7b:bb:d0:e1:a8:66:aa:a7:7c:64:07:3c:c6:34:70:4f:23:ed: 74:16:db:6f:8c:de:d3:6c

Inspect the CA Self Signed Certificate for its Purpose/Ability

openssl x509 -purpose -in cacert.pem -inform PEM
Certificate purposes:
SSL client : No
SSL client CA : Yes
SSL server : No
SSL server CA : Yes
Netscape SSL server : No
Netscape SSL server CA : Yes
S/MIME signing : No
S/MIME signing CA : Yes
S/MIME encryption : No
S/MIME encryption CA : Yes
CRL signing : Yes
CRL signing CA : Yes
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : Yes
Time Stamp signing : No
Time Stamp signing CA : Yes
-----BEGIN CERTIFICATE-----
MIIGSDCCBDCgAwIBAgIUbqRz/6ZzppQLiislMWn/PMqH4bkwDQYJKoZIhvcNAQEL
BQAwgawxCzAJBgNVBAYTAlRIMRAwDgYDVQQIDAdCYW5na29rMRAwDgYDVQQHDAdC
YW5na29rMRgwFgYDVQQKDA9UZXN0IENBIFB0eSBMdGQxLDAqBgNVBAsMI1NlcnZl
ciBTZWN1cml0eSBSZXNlYXJjaCBEZXBhcnRtZW50MRAwDgYDVQQDDAdUZXN0IENB
MR8wHQYJKoZIhvcNAQkBFhB0ZXN0QGV4YW1wbGUuY29tMB4XDTIwMDQxMjAwMjYy
MFoXDTMwMDIxOTAwMjYyMFowgawxCzAJBgNVBAYTAlRIMRAwDgYDVQQIDAdCYW5n
a29rMRAwDgYDVQQHDAdCYW5na29rMRgwFgYDVQQKDA9UZXN0IENBIFB0eSBMdGQx
LDAqBgNVBAsMI1NlcnZlciBTZWN1cml0eSBSZXNlYXJjaCBEZXBhcnRtZW50MRAw
DgYDVQQDDAdUZXN0IENBMR8wHQYJKoZIhvcNAQkBFhB0ZXN0QGV4YW1wbGUuY29t
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuxd4lZQV/nZvhcGhIfgx
6hP1bjK7T/Z9I18uS6AHbNVhJmMpwz2+Pjegql5D9gLVpHDC274BU1kZiFP8quPC
yw8Zu/+VCIfjkZLFg1rwkF3NrM2VxRUqD43wV4JmCg886Lvu9g1fZnEAV//FqgTq
3eSqf5G2oT2iPOYWn/klwtmw30yDJEvIaWkPXtKrsoPVcptiSOWbh0xLT1Aw/mSh
iuYKxmNCgfkpTmniuwpAYxKoOtxCZHZ9/J1bxcORJzilsb1s33ulgNnVUU3B39w2
AXLzKo0PsTUYCaCuwuAVM3hubsLFg8TBrGFjXixOG5E7Al2VgDzY1STr79njJFJk
ZyWgimsrL4+3Zsak8GpHw0CXmxfcaiYVGPi2g2lWT7p9m4Jp/RBTnCbdqXd+cvVR
VVoyYBUUQQtHR2NmMcKVykrjF00Zrzjz0Q0RKBethHkLmV7xkcJ5q8GbTCJpCQ/M
W98fubRVhnltRlU7bqscvzUFWoMkDSMXpN2bcwcs7sUP4lccccyZoWofjoS72bWE
ncUHvyvtZ4zFGBnmbKhlk0iIinlPLXQ8JcswQL/TzcRax0++6Frqd7KLfzcgF4LF
A02JnG/DBy21bEZ8UZD3jWS0+lZ5v12+vZ8a8uupxpaXCur3rhC5wyyV9d9Ld5Uu
0GyacllIJo997UuWalj+X0ECAwEAAaNgMF4wHQYDVR0OBBYEFDG8HM3QpLcEGnLl
4KnBcs+RtrJxMB8GA1UdIwQYMBaAFDG8HM3QpLcEGnLl4KnBcs+RtrJxMA8GA1Ud
EwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQBY32XC
0I4rK2ZueFE+VeeuVRy408LIGr8rFa3EyMTRMz2+8F3pbmqU/2Aw9ko9EgSfnjDY
byC7HPaZygJOUjjBsDWfzW86Hu0PXXNppUJuOOZNwXtEYKg6MiH/D6NaA0gF9hk6
myNVDfRz2Ny8L3l96y+6vyYn/RV2mFDJ1xvN0wR0/0m16vpUyN4hK5pnltIoHdD1
lvS/1OIZiLpMg+BZ+HaBhdlRpfHMHPp8+4PEKrUzjykiO+liFSYipOcSd84J1xHQ
cZJG6M0W3MbulthWOH0/J6F2mfzOAdo0Sh1a1uvzBf9rUZGTv59xKz0c3Ocr6A2z
yjlkL/s8W4DSUeIWurQdZ1ctzxdiTRkV595Lu+EnrHYLdxbEvvJgl4fh2+vNEdib
nNDQg3cpZcK24PBZlfSZJ/XVWSNrMRKZ7fNZpqT2sJAbWUvHxXKBkK7OaamBIa1e
HjoR4OocYfbfEd5aa6CXBrarPPW4uyIF5tUAHrRR4+IYugCXMbjT6AZQYbIg/dts
XT6eDFtNqP4pc6eZjdibKEnu6HjMZSZP+81r0bEb27yM8xEqJwpFAcBp+lMwLArt
KkGmp5LfqsHjPRz9tn6COLJne1ZZTDVYyxe5ripIM3uAQQW5EDGNW6qkzG9buLyd
w3J7u9DhqGaqp3xkBzzGNHBPI+10FttvjN7TbA==
-----END CERTIFICATE-----

Client: Generate Private Key & Certificate Signing Request (CSR)

openssl req -config openssl-client.cnf -newkey rsa:2048 -sha256 -nodes -out clientcert.csr -outform PEM
Generating a RSA private key
…………………………………………………………………………………………………………………………………………………….+++++
…….+++++
writing new private key to 'clientkey.pem'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [TH]:
State or Province Name (full name) [BKK]:
Locality Name (eg, city) [Bangkok]:
Organization Name (eg, company) [Test CA Pty Ltd]:
Common Name (e.g. server FQDN or YOUR name) [Test Client]:
Email Address [test@example.com]:

There should be two more files

  1. clientkey.pem (Client Private Key)
  2. clientcert.scr (Certificate Signing Request)

Inspect the CSR (Certificate Signing Request)

openssl req -text -noout -verify -in clientcert.csr
verify OK
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = TH, ST = BKK, L = Bangkok, O = Test CA Pty Ltd, CN = Test Client, emailAddress = test@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:d3:f2:0e:db:52:72:66:65:cb:ee:b3:30:62:74:
3a:39:05:a4:6a:16:34:4c:8b:e7:fd:64:bc:5a:b9:
7b:16:cf:c0:75:c7:69:b8:6c:13:a7:4e:ac:52:8d:
fc:f6:bd:9d:cf:7f:6a:83:22:f3:4a:08:c0:50:5d:
97:15:7b:10:05:83:91:1b:cd:6f:46:17:a8:4d:3c:
f7:46:ad:32:96:03:a0:5f:24:3e:8d:61:4d:01:57:
ba:36:63:5b:bf:3f:dd:c5:08:56:6e:fe:e0:c1:e0:
63:c8:2e:33:b1:30:32:b8:3e:7b:43:a7:01:8f:8a:
41:26:eb:98:7d:fd:f9:ef:db:41:34:25:be:61:6e:
59:d3:be:22:39:a9:e3:ac:a9:73:a8:d0:24:20:0a:
d6:01:2b:7d:a0:b7:80:c3:0d:cd:e9:42:64:65:06:
bd:67:96:ab:86:c3:86:81:89:3d:39:9f:c1:75:b5:
d6:53:28:ce:b3:2e:0c:c1:86:b2:4b:cb:30:70:91:
9a:d0:d4:48:44:f4:54:18:48:1d:d5:1e:24:21:1e:
70:7d:f6:5f:0e:d1:64:48:91:ee:0a:0c:1d:41:f8:
da:ad:ca:05:b6:a9:f3:37:f8:3f:a6:1a:18:d1:94:
b2:dd:fb:41:a3:6d:99:fb:07:50:21:ac:ab:6a:06:
1a:e9
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Key Identifier:
4D:82:23:1B:8E:1F:F0:5C:FC:7B:90:47:2B:1D:D2:8F:E2:0A:D6:A8
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:test, DNS:test.example.com
Netscape Comment:
OpenSSL Generated Certificate
Signature Algorithm: sha256WithRSAEncryption
06:bf:b4:78:ff:c0:91:58:ac:58:ea:a5:0b:14:74:a9:6d:0c:
e9:7a:82:e7:dd:30:62:f6:5f:47:24:a4:01:75:64:06:46:13:
b3:e7:42:f6:f3:4a:0d:d3:dc:44:f5:9b:f6:3f:f3:7e:c1:61:
54:24:cd:99:b6:c8:94:94:6d:97:65:53:b8:41:73:23:22:28:
36:4c:a4:57:11:01:d3:12:64:bb:7f:c8:c8:d5:45:f6:59:10:
91:dc:e2:02:0b:0b:d2:72:10:84:28:7a:5e:fe:35:ff:10:03:
2a:77:e1:75:8d:2a:01:b9:41:8d:26:32:8a:b5:35:89:53:40:
92:6d:20:c7:68:16:af:cc:ba:da:0d:20:35:c3:86:9d:e0:ab:
0d:cc:f7:e6:46:f7:8b:b9:c9:27:48:cb:dc:53:cb:ac:ac:de:
fb:4e:f2:e8:1e:20:e7:4f:51:42:64:f3:2b:6e:b8:cf:2d:db:
50:43:fb:3c:25:71:b9:cd:be:68:1f:1e:84:35:ad:1c:07:95:
aa:2a:b9:46:ff:3b:8e:f7:52:a5:33:c7:c1:9f:48:23:b1:ec:
2d:c9:b2:24:ef:0e:3a:7e:00:2b:9c:93:74:0c:de:28:b0:ef:
01:71:c4:9e:97:e8:24:e2:5d:49:60:de:f2:ef:fb:d9:25:84:
91:c3:ad:a0

CA: Sign the CSR

openssl ca -config openssl-ca.cnf -policy signing_policy -extensions signing_req -out clientcert.pem -infiles clientcert.csr
Using configuration from openssl-ca.cnf
Can't open ./index.txt.attr for reading, No such file or directory
140271812403648:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:72:fopen('./index.txt.attr','r')
140271812403648:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:79:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'TH'
stateOrProvinceName :ASN.1 12:'BKK'
localityName :ASN.1 12:'Bangkok'
organizationName :ASN.1 12:'Test CA Pty Ltd'
commonName :ASN.1 12:'Test Client'
Certificate is to be certified until Aug 29 00:44:19 2047 GMT (10000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

There should be two more files

  1. clientcert.pem (CA Signed Client Certificate)
  2. clientkey.pem (Client Private Key)

Inspect the new Client Certificate

openssl x509 -in clientcert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = TH, ST = Bangkok, L = Bangkok, O = Test CA Pty Ltd, OU = Server Security Research Department, CN = Test CA, emailAddress = test@example.com
Validity
Not Before: Apr 12 00:44:19 2020 GMT
Not After : Aug 29 00:44:19 2047 GMT
Subject: C = TH, ST = BKK, L = Bangkok, O = Test CA Pty Ltd, CN = Test Client
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:d3:f2:0e:db:52:72:66:65:cb:ee:b3:30:62:74:
3a:39:05:a4:6a:16:34:4c:8b:e7:fd:64:bc:5a:b9:
7b:16:cf:c0:75:c7:69:b8:6c:13:a7:4e:ac:52:8d:
fc:f6:bd:9d:cf:7f:6a:83:22:f3:4a:08:c0:50:5d:
97:15:7b:10:05:83:91:1b:cd:6f:46:17:a8:4d:3c:
f7:46:ad:32:96:03:a0:5f:24:3e:8d:61:4d:01:57:
ba:36:63:5b:bf:3f:dd:c5:08:56:6e:fe:e0:c1:e0:
63:c8:2e:33:b1:30:32:b8:3e:7b:43:a7:01:8f:8a:
41:26:eb:98:7d:fd:f9:ef:db:41:34:25:be:61:6e:
59:d3:be:22:39:a9:e3:ac:a9:73:a8:d0:24:20:0a:
d6:01:2b:7d:a0:b7:80:c3:0d:cd:e9:42:64:65:06:
bd:67:96:ab:86:c3:86:81:89:3d:39:9f:c1:75:b5:
d6:53:28:ce:b3:2e:0c:c1:86:b2:4b:cb:30:70:91:
9a:d0:d4:48:44:f4:54:18:48:1d:d5:1e:24:21:1e:
70:7d:f6:5f:0e:d1:64:48:91:ee:0a:0c:1d:41:f8:
da:ad:ca:05:b6:a9:f3:37:f8:3f:a6:1a:18:d1:94:
b2:dd:fb:41:a3:6d:99:fb:07:50:21:ac:ab:6a:06:
1a:e9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
4D:82:23:1B:8E:1F:F0:5C:FC:7B:90:47:2B:1D:D2:8F:E2:0A:D6:A8
X509v3 Authority Key Identifier:
keyid:31:BC:1C:CD:D0:A4:B7:04:1A:72:E5:E0:A9:C1:72:CF:91:B6:B2:71
X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Subject Alternative Name: DNS:test, DNS:test.example.com Netscape Comment: OpenSSL Generated Certificate Signature Algorithm: sha256WithRSAEncryption 0c:ff:b8:15:2f:ac:e9:11:a9:d2:de:c8:61:d2:17:f7:0a:5f: 97:57:c6:fb:ce:8b:f8:1d:21:9e:3f:f0:c8:5c:76:ee:fd:0f: 73:50:0f:55:47:a4:1e:d1:fa:e0:eb:2b:f8:07:67:87:57:ba: 95:5b:b6:4f:c0:9c:55:2e:d8:4b:f2:ad:cb:57:ef:12:ac:dc: 5a:bd:21:e2:71:a5:34:f5:b2:b0:eb:84:28:4f:7a:17:33:dd: 5e:7a:af:80:73:85:07:ba:07:a4:28:c0:20:05:2a:ea:24:df: c0:f8:33:81:8b:f8:a5:20:4f:34:39:4c:96:d9:a2:c0:51:9c: 4d:2c:18:d3:43:f1:db:b9:1d:15:cb:3e:25:bc:09:75:6f:f5: c5:60:0e:b9:20:e6:e5:f1:ed:4f:d6:c6:c6:a2:c0:18:7f:bf: f2:ad:e2:bf:61:f5:55:9a:e9:18:78:ec:8b:fa:57:26:3d:7a: fa:48:2d:82:bb:f8:0f:db:3d:01:4a:4b:ba:b5:d8:d0:5a:3b: ec:06:e5:73:b7:81:70:6d:b8:8f:1f:68:9b:66:55:9a:02:32: ac:36:62:c7:69:a6:c5:99:de:d9:b5:9e:c3:26:2f:ff:1a:74: c1:ea:6a:f3:32:ee:45:72:32:61:77:cf:9a:f3:0c:4d:6f:bc: b8:5d:5a:20:82:44:bd:5f:68:bf:2c:db:95:20:2c:79:eb:74: 80:0e:cc:6f:4a:e8:36:a5:d6:07:59:1d:3a:bb:f5:e9:58:12: c5:a9:71:cc:8e:6d:fa:af:0c:fb:e2:3c:70:58:bc:60:5b:fe: 7a:fc:9b:f1:6c:be:2d:dd:67:8e:5a:6d:8d:fa:c4:3b:ed:20: 26:99:6b:2c:57:5a:b8:89:85:5f:89:18:75:a1:be:73:db:0c: b7:51:42:90:8f:4c:49:37:b9:2a:f2:f6:9f:04:48:75:37:32: e4:6a:c6:5f:30:00:91:f8:d8:49:7b:29:dd:e3:64:a2:cd:93: cb:95:d8:06:e6:47:7f:ef:be:45:64:ab:c2:30:77:65:65:76: ad:4f:cc:7d:85:03:71:2e:e6:cd:9c:20:53:27:61:48:6e:7a: 67:89:9b:c3:c7:b0:58:db:fe:08:56:04:09:86:01:ec:8a:ab: e3:74:bc:a7:38:0c:12:16:15:08:7f:7a:01:eb:55:52:af:90: 56:79:7a:4d:14:c1:68:be:d9:42:da:df:1b:0f:f8:f2:8f:0a: 66:50:b3:d0:b2:db:9e:cd:b0:ce:fb:a6:e6:1b:43:4a:45:80: dc:db:b4:ad:38:40:44:8c:06:5c:52:fe:b8:b1:08:7c:51:7b: 00:ee:a6:92:11:0f:bc:a5

Making the Certificate Authority Trusted

  1. clientcert.pem
  2. clientkey.pem

Can be moved to its destination computer, however it will not be trusted.
You will need to get cacert.pem into the Trusted Root Authority part of your certificate store.
How to make your CA certificate Authority Trusted?

Notes

Although you can create certificates for example
tld
*.tld
Most browsers will not accept then giving invalid certificate errors.
Also a wildcard in the CommonName field gives erros on some Browsers.
It is best to create a 3 part CommonName eg host50.domain.tld and only do 3 part WildCards in the SAN section e.g.
*.domain1.tld
*.domain2.tld

Related

Links

paulligocki

,
, , ,