Alternate way for PKI Setup
Creating the CA’s private key
Generate a private key file for the ca:
$ openssl genrsa -out ca.key 2048
–> ca.key
thomas-pk@Tom-720s:/mnt/c/Users/thoma/Documents/code/pki$ openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................................+++++
...................+++++
e is 65537 (0x010001)
Creating the CA’s Self Signed Certificate
Using the CA private key, create the self signed X.509 ca certificate ca.crt of the public key with openssl. openssl will prompt the user for the details of the certificate:
Method 1: Prompted Certificate Input Details
The command provided below creates a ca certificate directly without creating a CSR.
$ openssl req -new -x509 -key ca.key -out ca.crt
req
: This is a new CSR.-new
: Create a new certificate, prompting the user for the required fields.-x509
: Create a self-signed certificate.-key
: Using the private key given-out
: Output the certificate to the file with the filename provided
thomas-pk@Tom-720s:/mnt/c/Users/thoma/Documents/code/pki$ openssl req -new -x509 -key ca.key -out ca.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:SG
State or Province Name (full name) [Some-State]:Singapore
Locality Name (eg, city) []:Singapore
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Big Tom Pte Ltd
Organizational Unit Name (eg, section) []:Sales
Common Name (e.g. server FQDN or YOUR name) []:Thomas
Email Address []:bigtompk-gen@yahoo.com
The code block above shows the publicly shareable CA certificate ca.crt created for the CA server. Note: This is not the certificate for any of the web sites or hosts under the CA. The output file ca.crt is the CA certificate.
Method 2: Inputs provided in command line
The command provided below creates a ca certificate directly without creating a CSR.
$ openssl req -new -x509 -key ca.key -out ca.crt -days 3650 -subj /CN=www.thomas-pk.com
OR
$ openssl req -new -x509 -key ca.key -out ca.crt
-days 3650 -subj /CN="www.thomas-pk.com thomas-pk.com"
for multiple CNs.
thomas-pk@Tom-720s:/mnt/c/Users/thoma/Documents/code/pki$ openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.....+++++
.......+++++
e is 65537 (0x010001)
thomas-pk@Tom-720s:/mnt/c/Users/thoma/Documents/code/pki$ openssl req -new -x509 -key ca.key -out ca.crt -days 3650 -subj /CN=www.thomas-pk.com
thomas-pk@Tom-720s:/mnt/c/Users/thoma/Documents/code/pki$ ll
total 8.0K
-rwxrwxrwx 1 thomas-pk thomas-pk 1.2K Mar 30 10:22 ca.crt*
-rwxrwxrwx 1 thomas-pk thomas-pk 1.7K Mar 30 10:21 ca.key*
drwxrwxrwx 1 thomas-pk thomas-pk 512 Mar 29 19:34 my-pki/
drwxrwxrwx 1 thomas-pk thomas-pk 512 Mar 28 08:25 pki-example-1/
$ openssl x509 -in ca.crt -text -noout
to display the contents of the new crt file.
Method 3: Inputs through a configuration file
Please refer to root-ca.conf
$ openssl req -new -config root-ca.conf -out root-ca.csr -keyout root-ca.key
This creates a new private key root-ca.key and a CSR file root-ca.csr from the configuration file root-ca.conf.
Use
$ openssl ca -selfsign -config root-ca.conf -in root-ca.csr -out root-ca.crt -extensions root_ca_ext
to create a self signed root CA certificate from the CSR root-ca.csr and configuration file root-ca.conf.
Generating a host system’s RSA KeyPair and Certificate
Create the signed certificate for the website / host system using the private ca.key created previously.
Creating the host system private key
$ openssl genrsa -out example.org.key 2048
: Generate a private rsa key file example.org.key.
$ openssl rsa -in example.org.key -noout -text
to display the contents of the private rsa key file example.org.key.
Extract the public key from the private key
$ openssl rsa -in example.org.key -pubout -out example.org.pub
to generate the public key from the private key.
$ openssl rsa -in example.org.pub -pubin -noout -text
to display the contents of the public key.
Performing a Certificate Signing Request (CSR)
$ openssl req -new -key example.org.key -out example.org.csr
. This command generates a certificate from the earlier private key. Issuing this command will prompt the user to enter details for the certificate, such as Country, Locality, Organisation Name, email address, etc.
-key
specifies the private key file
-new
create a new certificate and prompt the user for relevant field values.
thomas-pk@Tom-720s:/mnt/c/Users/thoma/Documents/code/pki$ openssl req -new -key example.org.key -out example.org.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:SG
State or Province Name (full name) [Some-State]:Singapore
Locality Name (eg, city) []:Singapore
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Big Tom Pte Ltd
Organizational Unit Name (eg, section) []:Sales
Common Name (e.g. server FQDN or YOUR name) []:thomas-pk.com
Email Address []:bigtompk-gen@yahoo.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Signing the host certificate by the CA
thomas-pk@Tom-720s:/mnt/c/Users/thoma/Documents/code/pki$ openssl x509 -req -in example.org.csr -CA ca.crt -CAkey ca.key -CAcreateseri
al -out example.org.crt
Signature ok
subject=C = SG, ST = Singapore, L = Singapore, O = Big Tom Pte Ltd, OU = Sales, CN = thomas-pk.com, emailAddress = bigtompk-gen@yahoo.com
Getting CA Private Key