I've seen several of these "help me I need to construct a security architecture and I don't understand the manuals and I'm too busy/ uneducated/blonde/whatever (:-) to take the time to LEARN enough to understand the manuals, so please just give me the commands that I can type in and satisfy my boss so I can just go home and play with my cat or write symphonies or write the great American novel or whatever my REAL love in life is..."
and I wonder if it is really responsible to give out such a list of commands, without the person really realizing how pass phrases need to be guarded or any of the other things that result in real security. Am I handing a baby a loaded gun by posting stuff like this? Or is their management handing a baby a loaded gun by sending a (relatively) uneducated person out to do something this you-bet-your-company critical without adult oversight?
i want to generate intermediate certificates
how do i create an intermediare certificate
i have to create the following certs in this manner
Master ROOT CA
Intrermediate CA
Departmental CA
End User Cert
how do i create the intermediate ca or the departmental ca ? certs that can be have a verified trust path to Master Root Ca ?
please email the auctual commands used and / or the auctual config files used for such generation - am stuck
The following generates a four-level test PKI just like the one we have put into operation. This is one of 18 scripts that generate a sequence of PKIs, starting with the one we just took out of operation, and proceeding a tiny tiny step at a time, adding this extension or changing that extension, until it ends up with the PKI we are putting into operation now. This was grueling overkill but was necessary to determine why the Novell eDirectory LDAP server didn't like our certificates.
Now, the pass phrases in here are really simple like "aaaaa" and "bbbbb" because this is a test PKI and there was really no security involved. We put the test up, tested it, and took it down. The REAL PKI uses pass phrases that were typed in by witnesses at our cert ceremony and are now sealed in envelopes held by campus security authorities.
Please think about security as you use this information. And PLEASE don't steal our cert policy ID! Get one of your own or just drop that extension:
=====
#! /bin/sh
# Test18 is Test17 with # KeyUsage extension in server cert marked critical
OPENSSL="/usr/bin/openssl" CONFFILE=conf.$$ SNUMFILE=snum.$$ CAV="18"
# Generate the Root certificate
cat <<@eof >$CONFFILE oid_section = addoid [addoid] # our local object IDs umCPS = 1.3.6.1.4.1.4305.1.2.1 [req] # openssl req params prompt = no distinguished_name = dn-param x509_extensions = extend [dn-param] # DN fields C = US ST = Maryland O = University of Maryland OU = College Park Campus CN = University of Maryland Root CA $CAV [extend] # openssl extensions subjectAltName = "DNS:umd.edu","email:[EMAIL PROTECTED]" issuerAltName = "DNS:umd.edu","email:[EMAIL PROTECTED]" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always basicConstraints = critical,CA:true keyUsage = keyCertSign,cRLSign nsCertType = sslCA,emailCA,objCA nsComment = "See http://cert.umd.edu/root for details." certificatePolicies = ia5org,@policy [policy] # certificate policy extension data policyIdentifier = umCPS CPS = "http://cert.umd.edu/certpolicy"; @eof
$OPENSSL req -config $CONFFILE -x509 -sha1 -newkey rsa:2048 -days 365 \
-passout pass:aaaaa -keyout root.key.pem -out root.cert.pem# Generate the Intermediate certificate # sort of sneaky use same file for config and extensions
cat <<@eof >$CONFFILE # openssl x509 extfile params extensions = extend [req] # openssl req params prompt = no distinguished_name = dn-param [dn-param] # DN fields C = US ST = Maryland O = University of Maryland OU = College Park Campus CN = University of Maryland Inter $CAV [extend] # openssl extensions subjectAltName = "DNS:umd.edu","email:[EMAIL PROTECTED]" issuerAltName = "DNS:umd.edu","email:[EMAIL PROTECTED]" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always basicConstraints = critical,CA:true keyUsage = keyCertSign,cRLSign nsCertType = sslCA,emailCA,objCA nsComment = "See http://cert.umd.edu/inter for details." certificatePolicies = ia5org,@policy [policy] # certificate policy extension data policyIdentifier = 1.3.6.1.4.1.4305.1.2.1 CPS = "http://cert.umd.edu/certpolicy"; @eof
echo 01 >$SNUMFILE
$OPENSSL req -config $CONFFILE \ -newkey rsa:2048 -passout pass:bbbbb -keyout inter.key.pem |
$OPENSSL x509 -req -sha1 -extfile $CONFFILE \ -CAserial $SNUMFILE -days 364 -passin pass:aaaaa \ -CA root.cert.pem -CAkey root.key.pem -out inter.cert.pem
# Generate the server certificate signing certificate # sort of sneaky use same file for config and extensions
cat <<@eof >$CONFFILE # openssl x509 extfile params extensions = extend [req] # openssl req params prompt = no distinguished_name = dn-param [dn-param] # DN fields C = US ST = Maryland O = University of Maryland OU = College Park Campus CN = University of Maryland SSL Signing $CAV [extend] # openssl extensions subjectAltName = "DNS:umd.edu","email:[EMAIL PROTECTED]" issuerAltName = "DNS:umd.edu","email:[EMAIL PROTECTED]" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always basicConstraints = critical,CA:true keyUsage = keyCertSign,cRLSign extendedKeyUsage = clientAuth,serverAuth nsCertType = sslCA nsComment = "See http://cert.umd.edu/ssign for details." certificatePolicies = ia5org,@policy [policy] # certificate policy extension data policyIdentifier = 1.3.6.1.4.1.4305.1.2.1 CPS = "http://cert.umd.edu/certpolicy"; @eof
echo 02 >$SNUMFILE
$OPENSSL req -config $CONFFILE \ -newkey rsa:2048 -passout pass:ccccc -keyout ssign.key.pem |
$OPENSSL x509 -req -sha1 -extfile $CONFFILE \ -CAserial $SNUMFILE -days 363 -passin pass:bbbbb \ -CA inter.cert.pem -CAkey inter.key.pem -out ssign.cert.pem
# Generate a server certificate from CSR in csr.pem
cat <<@eof >$CONFFILE extensions = extend [extend] # openssl extensions subjectAltName = email:[EMAIL PROTECTED] issuerAltName = "DNS:umd.edu","email:[EMAIL PROTECTED]" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always basicConstraints = critical,CA:false keyUsage = critical,Key Encipherment extendedKeyUsage = serverAuth, clientAuth nsCertType = SSL Server nsComment = "See http://cert.umd.edu/server for details." certificatePolicies = ia5org,@policy [policy] # certificate policy extension data policyIdentifier = 1.3.6.1.4.1.4305.1.2.1 CPS = "http://cert.umd.edu/certpolicy"; @eof
echo 13 >$SNUMFILE
$OPENSSL x509 -req -sha1 -extfile $CONFFILE -in csr.pem \ -CAserial $SNUMFILE -days 362 -passin pass:ccccc \ -CA ssign.cert.pem -CAkey ssign.key.pem -out server.cert.pem
rm $CONFFILE $SNUMFILE
-- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
