Setting up a Private PKI
Reference: User GuidesSecurityOpenSSL Cookbook 2nd Edition - 2016.pdf, See section Creating a Private Certification Authority
The central component for the PKI is the CA, which is trusted by all other systems in the PKI.
We first setup the CA before setting up the other systems in the PKI.
PKI creation steps
Create the CA’s private key. This also contains the CA public key. The public key can only be shared externally through a CA certificate.
We create CA’s self signed certificate by issuing a CSR to the CA. The CA certificate is required to:
be installed on client’s browsers and other client agents so that they trust the CA
generate external host system certificates
serve as the starting point for all trust relationships in the PKI.
Create the host system’s private / public key pair.
Create the host system’s CA signed certificate
Please refer to the root-ca.conf file.
Initial Setup
Directory structure of setup
.
├── root-ca\
│ ├── certs\ # Folder where new certificates will be placed.
│ ├── db\ # Folder where certificate database files are stored.
│ │ ├── crlnumber
│ │ ├── index
│ │ └── serial
│ ├── private\ # Folder where private keys for the CA and OCSP responder.
│ └── root-ca.conf # The root ca creation configuration file.
└── setup.sh
Shown above is the directory structure of the setup for the PKI.
Setup script file
#!/bin/bash
mkdir -p root-ca
cd root-ca
mkdir certs db private
chmod 700 private
touch db/index
openssl rand -hex 16 > db/serial
echo 1001 > db/crlnumber
The file provided above in setup.sh creates the directory structure and initialises the serial and crl numbers.
Root CA Generation
We first create the CA private key and CSR with
ca/root-ca$ openssl req -new -config root-ca.conf
-out root-ca.csr -keyout private/root-ca.key
which will create the CA private key root-ca.key and the CSR file root-ca.csr - two steps in one command.We then create a self-signed certificate with
ca/root-ca$ openssl ca -selfsign -config root-ca.conf
-out root-ca.crt -extensions ca_ext
to create the root-ca.crt root ca certificate.
Root CA Operations
Creating the CRL
To create the CRL with the new CA, execute
ca/root-ca$ openssl ca -gencrl -config root-ca.conf -out root-ca.crl
. This create the file root-ca.crl.
Creating an CA signed individual system certificate
We first create the new system’s private key and CSR by issuing
ca/root-ca$ openssl req -new -newkey rsa:2048 -subj "/C=SG/O=Big Tom Pte Ltd/CN=deb-xwin" -keyout private/deb-xwin.key -out deb-xwin.csr
To issue a new certificate, issue
ca/root-ca$ openssl ca -config root-ca.conf
-in deb-xwin.csr -out deb-xwin.crt -extensions sub_ca_ext
where deb-xwin.csr is the certificate request for the new system.