Alternate way for PKI Setup

Creating the CA’s private key

  • Generate a private key file for the ca: $ openssl genrsa -out ca.key 2048 –> ca.key

thomas-pk@Tom-720s:/mnt/c/Users/thoma/Documents/code/pki$ openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................................+++++
...................+++++
e is 65537 (0x010001)

Creating the CA’s Self Signed Certificate

  • Using the CA private key, create the self signed X.509 ca certificate ca.crt of the public key with openssl. openssl will prompt the user for the details of the certificate:

Method 1: Prompted Certificate Input Details

  • The command provided below creates a ca certificate directly without creating a CSR.

  • $ openssl req -new -x509 -key ca.key -out ca.crt

    • req: This is a new CSR.

    • -new: Create a new certificate, prompting the user for the required fields.

    • -x509: Create a self-signed certificate.

    • -key: Using the private key given

    • -out: Output the certificate to the file with the filename provided

thomas-pk@Tom-720s:/mnt/c/Users/thoma/Documents/code/pki$ openssl req -new -x509 -key ca.key -out ca.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:SG
State or Province Name (full name) [Some-State]:Singapore
Locality Name (eg, city) []:Singapore
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Big Tom Pte Ltd
Organizational Unit Name (eg, section) []:Sales
Common Name (e.g. server FQDN or YOUR name) []:Thomas
Email Address []:bigtompk-gen@yahoo.com

The code block above shows the publicly shareable CA certificate ca.crt created for the CA server. Note: This is not the certificate for any of the web sites or hosts under the CA. The output file ca.crt is the CA certificate.

Method 2: Inputs provided in command line

  • The command provided below creates a ca certificate directly without creating a CSR.

    • $ openssl req -new -x509 -key ca.key -out ca.crt -days 3650 -subj /CN=www.thomas-pk.com

    • OR $ openssl req -new -x509 -key ca.key -out ca.crt -days 3650 -subj /CN="www.thomas-pk.com thomas-pk.com" for multiple CNs.

thomas-pk@Tom-720s:/mnt/c/Users/thoma/Documents/code/pki$ openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.....+++++
.......+++++
e is 65537 (0x010001)
thomas-pk@Tom-720s:/mnt/c/Users/thoma/Documents/code/pki$ openssl req -new -x509 -key ca.key -out ca.crt -days 3650 -subj /CN=www.thomas-pk.com
thomas-pk@Tom-720s:/mnt/c/Users/thoma/Documents/code/pki$ ll
total 8.0K
-rwxrwxrwx 1 thomas-pk thomas-pk 1.2K Mar 30 10:22 ca.crt*
-rwxrwxrwx 1 thomas-pk thomas-pk 1.7K Mar 30 10:21 ca.key*
drwxrwxrwx 1 thomas-pk thomas-pk  512 Mar 29 19:34 my-pki/
drwxrwxrwx 1 thomas-pk thomas-pk  512 Mar 28 08:25 pki-example-1/
  • $ openssl x509 -in ca.crt -text -noout to display the contents of the new crt file.

Method 3: Inputs through a configuration file

  • Please refer to root-ca.conf

  • $ openssl req -new -config root-ca.conf -out root-ca.csr -keyout root-ca.key

  • This creates a new private key root-ca.key and a CSR file root-ca.csr from the configuration file root-ca.conf.

  • Use $ openssl ca -selfsign -config root-ca.conf -in root-ca.csr -out root-ca.crt -extensions root_ca_ext to create a self signed root CA certificate from the CSR root-ca.csr and configuration file root-ca.conf.

Generating a host system’s RSA KeyPair and Certificate

Create the signed certificate for the website / host system using the private ca.key created previously.

Creating the host system private key

$ openssl genrsa -out example.org.key 2048: Generate a private rsa key file example.org.key. $ openssl rsa -in example.org.key -noout -text to display the contents of the private rsa key file example.org.key.

Extract the public key from the private key

$ openssl rsa -in example.org.key -pubout -out example.org.pub to generate the public key from the private key. $ openssl rsa -in example.org.pub -pubin -noout -text to display the contents of the public key.

Performing a Certificate Signing Request (CSR)

$ openssl req -new -key example.org.key -out example.org.csr. This command generates a certificate from the earlier private key. Issuing this command will prompt the user to enter details for the certificate, such as Country, Locality, Organisation Name, email address, etc.

  • -key specifies the private key file

  • -new create a new certificate and prompt the user for relevant field values.

thomas-pk@Tom-720s:/mnt/c/Users/thoma/Documents/code/pki$ openssl req -new -key example.org.key -out example.org.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:SG
State or Province Name (full name) [Some-State]:Singapore
Locality Name (eg, city) []:Singapore
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Big Tom Pte Ltd
Organizational Unit Name (eg, section) []:Sales
Common Name (e.g. server FQDN or YOUR name) []:thomas-pk.com
Email Address []:bigtompk-gen@yahoo.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Signing the host certificate by the CA

thomas-pk@Tom-720s:/mnt/c/Users/thoma/Documents/code/pki$ openssl x509 -req -in example.org.csr -CA ca.crt -CAkey ca.key -CAcreateseri
al -out example.org.crt
Signature ok
subject=C = SG, ST = Singapore, L = Singapore, O = Big Tom Pte Ltd, OU = Sales, CN = thomas-pk.com, emailAddress = bigtompk-gen@yahoo.com
Getting CA Private Key