https://www.chepkov.com/w/index.php?action=history&feed=atom&title=Managing_Certificate_Authority Managing Certificate Authority - Revision history 2026-04-28T17:16:35Z Revision history for this page on the wiki MediaWiki 1.43.6 https://www.chepkov.com/w/index.php?title=Managing_Certificate_Authority&diff=589&oldid=prev Vvc at 14:04, 7 October 2018 2018-10-07T14:04:40Z <p></p> <table style="background-color: #fff; color: #202122;" data-mw="interface"> <col class="diff-marker" /> <col class="diff-content" /> <col class="diff-marker" /> <col class="diff-content" /> <tr class="diff-title" lang="en"> <td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td> <td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 14:04, 7 October 2018</td> </tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l30">Line 30:</td> <td colspan="2" class="diff-lineno">Line 30:</td></tr> <tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>default_days    = 365</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>default_days    = 365</div></td></tr> <tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>default_crl_days= 35</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>default_crl_days= 35</div></td></tr> <tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>default_md      = <del style="font-weight: bold; text-decoration: none;">sha1</del></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>default_md      = <ins style="font-weight: bold; text-decoration: none;">sha256</ins></div></td></tr> <tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>preserve        = no</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>preserve        = no</div></td></tr> <tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>policy          = policy_any</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>policy          = policy_any</div></td></tr> <!-- diff cache key vvcwiki:diff:1.41:old-206:rev-589:php=table --> </table> Vvc https://www.chepkov.com/w/index.php?title=Managing_Certificate_Authority&diff=206&oldid=prev Vvc: server 2009-01-26T01:34:52Z <p>server</p> <p><b>New page</b></p><div>This article should help you to run your own &#039;&#039;&#039;certificate authority (CA)&#039;&#039;&#039;. <br /> == Creating CA ==<br /> We will keep all files related to our CA in directory &#039;&#039;&#039;/root/CA&#039;&#039;&#039;<br /> <br /> === openssl.conf ===<br /> First, we will create OpenSSL configuration file. It can be stored anywere and referenced by environment variable<br /> &lt;pre&gt;<br /> export OPENSSL_CONF=/root/CA/openssl.conf<br /> &lt;/pre&gt;<br /> <br /> Here is my file<br /> &lt;pre&gt;<br /> [ ca ]<br /> default_ca = CA_default<br /> <br /> [ CA_default ]<br /> dir = /root/CA<br /> new_certs_dir = $dir/certs<br /> database = $dir/index.txt<br /> unique_subject = no<br /> certificate = $dir/cacert.pem<br /> private_key = $dir/private/cakey.pem<br /> serial = $dir/serial<br /> crl = $dir/crl.pem<br /> RANDFILE = $dir/private/.rand<br /> x509_extensions = usr_cert<br /> name_opt = ca_default<br /> cert_opt = ca_default<br /> copy_extensions = copy<br /> default_days = 365<br /> default_crl_days= 35<br /> default_md = sha1<br /> preserve = no<br /> policy = policy_any<br /> <br /> [ policy_any ]<br /> countryName = supplied<br /> stateOrProvinceName = supplied<br /> localityName = supplied<br /> organizationName = optional<br /> organizationalUnitName = optional<br /> commonName = supplied<br /> emailAddress = supplied<br /> <br /> [ req ]<br /> default_bits = 1024<br /> default_md = sha1<br /> distinguished_name = req_distinguished_name<br /> prompt = no<br /> x509_extensions = v3_ca<br /> <br /> [ req_distinguished_name ]<br /> countryName = US<br /> stateOrProvinceName = Virginia<br /> localityName = Leesburg<br /> organizationName = Vadym Chepkov<br /> organizationalUnitName = Vadym Chepkov CA<br /> commonName = Vadym Chepkov CA<br /> emailAddress = vvc@chepkov.com<br /> <br /> [ v3_ca ]<br /> subjectKeyIdentifier=hash<br /> authorityKeyIdentifier=keyid:always,issuer:always<br /> keyUsage = critical,keyCertSign,cRLSign<br /> basicConstraints = critical,CA:TRUE,pathlen:1<br /> subjectAltName=email:copy<br /> issuerAltName=issuer:copy<br /> authorityInfoAccess = caIssuers;URI:http://www.chepkov.com/ca.html<br /> crlDistributionPoints=URI:http://www.chepkov.com/vvc-ca.crl<br /> <br /> [ intermediate_ca ]<br /> subjectKeyIdentifier=hash<br /> authorityKeyIdentifier=keyid:always,issuer:always<br /> keyUsage = critical,keyCertSign,cRLSign<br /> basicConstraints = critical,CA:TRUE,pathlen:0<br /> subjectAltName=email:copy<br /> issuerAltName=issuer:copy<br /> authorityInfoAccess = caIssuers;URI:http://www.chepkov.com/ca.html<br /> crlDistributionPoints=URI:http://www.chepkov.com/vvc-ca.crl<br /> <br /> [ usr_cert ]<br /> basicConstraints = critical,CA:FALSE<br /> keyUsage = critical,digitalSignature,keyAgreement<br /> subjectKeyIdentifier=hash<br /> authorityKeyIdentifier=keyid,issuer<br /> issuerAltName=issuer:copy<br /> authorityInfoAccess = caIssuers;URI:http://www.chepkov.com/ca.html<br /> crlDistributionPoints=URI:http://www.chepkov.com/vvc-ca.crl<br /> <br /> [ server ]<br /> basicConstraints = critical,CA:FALSE<br /> subjectKeyIdentifier=hash<br /> authorityKeyIdentifier=keyid,issuer:always<br /> extendedKeyUsage=serverAuth<br /> keyUsage = critical,digitalSignature, keyEncipherment<br /> authorityInfoAccess = caIssuers;URI:http://www.chepkov.com/ca.html<br /> crlDistributionPoints=URI:http://www.chepkov.com/vvc-ca.crl<br /> <br /> &lt;/pre&gt;<br /> <br /> === Creating initial database ===<br /> &lt;pre&gt;<br /> cd /root/CA<br /> mkdir certs private<br /> chmod 700 private<br /> echo 01 &gt; serial<br /> touch index.txt index.txt.attr<br /> &lt;/pre&gt;<br /> <br /> === Creating CA private key ===<br /> openssl genrsa -out private/cakey.pem 2048<br /> <br /> === Creating CA certificate request ===<br /> openssl req -new -key private/cakey.pem -out ca.csr<br /> <br /> === Self-signing CA certificate ===<br /> openssl ca -selfsign -in ca.csr -keyfile private/cakey.pem -out cacert.pem -extensions v3_ca -verbose -enddate 361231235959Z<br /> <br /> === Signing Certificate Request ===<br /> openssl ca -days 730 -in server.csr -out server.crt -extensions server<br /> <br /> Make sure expiration day of the certificate does not exceed expiration day of your certificate authority. You don&#039;t have to specify &#039;&#039;&#039;days&#039;&#039;&#039; argument if you want to use default from openssl.conf<br /> <br /> === Revoking a certificate ===<br /> openssl ca -revoke cert.pem<br /> <br /> === Generating Certificate Revocation List (CRL) ===<br /> openssl ca -gencrl -out crl.pem<br /> openssl crl -in crl.pem -out crl.crl -outform DER<br /> <br /> [[Category:OpenSSL]]</div> Vvc