Setting up a Private PKI

  • Reference: User GuidesSecurityOpenSSL Cookbook 2nd Edition - 2016.pdf, See section Creating a Private Certification Authority

  • The central component for the PKI is the CA, which is trusted by all other systems in the PKI.

  • We first setup the CA before setting up the other systems in the PKI.

PKI creation steps

  • Create the CA’s private key. This also contains the CA public key. The public key can only be shared externally through a CA certificate.

  • We create CA’s self signed certificate by issuing a CSR to the CA. The CA certificate is required to:

    • be installed on client’s browsers and other client agents so that they trust the CA

    • generate external host system certificates

    • serve as the starting point for all trust relationships in the PKI.

  • Create the host system’s private / public key pair.

  • Create the host system’s CA signed certificate

Please refer to the root-ca.conf file.

Initial Setup

Directory structure of setup

.
├── root-ca\
│   ├── certs\          # Folder where new certificates will be placed.
│   ├── db\             # Folder where certificate database files are stored.
│   │   ├── crlnumber
│   │   ├── index
│   │   └── serial
│   ├── private\        # Folder where private keys for the CA and OCSP responder.
│   └── root-ca.conf    # The root ca creation configuration file.
└── setup.sh

Shown above is the directory structure of the setup for the PKI.

Setup script file

#!/bin/bash
mkdir -p root-ca
cd root-ca
mkdir certs db private
chmod 700 private
touch db/index
openssl rand -hex 16 > db/serial
echo 1001 > db/crlnumber

The file provided above in setup.sh creates the directory structure and initialises the serial and crl numbers.

Root CA Generation

  • We first create the CA private key and CSR with ca/root-ca$ openssl req -new -config root-ca.conf -out root-ca.csr -keyout private/root-ca.key which will create the CA private key root-ca.key and the CSR file root-ca.csr - two steps in one command.

  • We then create a self-signed certificate with ca/root-ca$ openssl ca -selfsign -config root-ca.conf -out root-ca.crt -extensions ca_ext to create the root-ca.crt root ca certificate.

Root CA Operations

Creating the CRL

  • To create the CRL with the new CA, execute ca/root-ca$ openssl ca -gencrl -config root-ca.conf -out root-ca.crl. This create the file root-ca.crl.

Creating an CA signed individual system certificate

  • We first create the new system’s private key and CSR by issuing ca/root-ca$ openssl req -new -newkey rsa:2048 -subj "/C=SG/O=Big Tom Pte Ltd/CN=deb-xwin" -keyout private/deb-xwin.key -out deb-xwin.csr

  • To issue a new certificate, issue ca/root-ca$ openssl ca -config root-ca.conf -in deb-xwin.csr -out deb-xwin.crt -extensions sub_ca_ext where deb-xwin.csr is the certificate request for the new system.