Re: Generating a smime certificate

Sat, 26 May 2007 13:39:00 -0700 

On Sat, May 26, 2007 at 10:11:08PM +0200, Marek Marcola wrote:

>  $ openssl x509 -in cert.pem -text -noout 
>  .
>  .
>          X509v3 extensions:
>             X509v3 Basic Constraints:
>                 CA:FALSE
>             X509v3 Key Usage:
>                 Digital Signature, Non Repudiation, Key Encipherment
>  .

Perhaps a mini-ca will help. See "ca.sh", "cert.sh" and "openssl.cnf"
used as follows:

    $ ./ca.sh rsa 2048
    Generating RSA private key, 2048 bit long modulus
    .................................................................+++
    
........................................................................................+++
    e is 65537 (0x10001)
    Using configuration from ca.cnf
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    countryName           :PRINTABLE:'US'
    stateOrProvinceName   :PRINTABLE:'New York'
    localityName          :PRINTABLE:'New York'
    organizationName      :PRINTABLE:'Example Corp'
    commonName            :PRINTABLE:'Insecure CA'
    emailAddress          :IA5STRING:'[EMAIL PROTECTED]'
    Certificate is to be certified until May 26 20:22:33 2017 GMT (3653 days)

    Write out database with 1 new entries
    Data Base Updated

    $ ./cert.sh rsa 1024
    Generating RSA private key, 1024 bit long modulus
    ..++++++
    ..........++++++
    e is 65537 (0x10001)
    Using configuration from ca.cnf
    DEBUG[load_index]: unique_subject = "no"
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    countryName           :PRINTABLE:'US'
    stateOrProvinceName   :PRINTABLE:'New York'
    localityName          :PRINTABLE:'New York'
    organizationName      :PRINTABLE:'Example Corp'
    organizationalUnitName:PRINTABLE:'Marketing Department'
    commonName            :PRINTABLE:'mktg.example.com'
    emailAddress          :IA5STRING:'[EMAIL PROTECTED]'
    Certificate is to be certified until May 25 20:22:59 2008 GMT (365 days)

    Write out database with 1 new entries
    Data Base Updated

To tweak the subject names, ... of the CA and issued cert, edit 
the names at the top of openssl.cnf:

    [ cert_distinguished_name ]
    countryName             = US
    stateOrProvinceName     = New York
    localityName            = New York
    organizationName        = Example Corp
    organizationalUnitName  = Marketing Department
    commonName              = mktg.example.com
    emailAddress            = [EMAIL PROTECTED]

    [ ca_distinguished_name ]
    countryName             = US
    stateOrProvinceName     = New York
    localityName            = New York
    organizationName        = Example Corp
    commonName              = Insecure CA
    emailAddress            = [EMAIL PROTECTED]

the rest should not need tweaks. The cert in myCA/rsacert.pem looks like this:

        ...
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Key Identifier:
                B1:54:85:D9:40:45:30:E1:E2:2C:9B:D8:BC:A8:93:EE:61:B8:19:A5
            X509v3 Authority Key Identifier:
                keyid:36:95:DB:50:85:3A:2F:1E:A8:34:EB:ED:C2:C6:34:F9:4B:38:28:8
E
                DirName:/C=US/ST=New York/L=New York/O=Example Corp/CN=Insecure
CA/[EMAIL PROTECTED]
                serial:EE:05:5D:8D:9F:D7:56:72
        ...

-- 
        Viktor.

Attachment: ca.sh
Description: Bourne shell script

Attachment: cert.sh
Description: Bourne shell script

Attachment: newkey.sh
Description: Bourne shell script

[ cert_distinguished_name ]
countryName             = US
stateOrProvinceName     = New York
localityName            = New York
organizationName        = Example Corp
organizationalUnitName  = Marketing Department
commonName              = mktg.example.com
emailAddress            = [EMAIL PROTECTED]

[ ca_distinguished_name ]
countryName             = US
stateOrProvinceName     = New York
localityName            = New York
organizationName        = Example Corp
commonName              = Insecure CA
emailAddress            = [EMAIL PROTECTED]

[ ca ]
default_ca      = req           # The default ca section

[ policy_match ]
countryName             = match
stateOrProvinceName     = match
localityName            = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ ca_cert ]
basicConstraints        = critical,CA:true
subjectKeyIdentifier    = hash                          # this first
authorityKeyIdentifier  = keyid:always, issuer:always   # and now this

[ usr_cert ]
basicConstraints        = critical,CA:false
keyUsage                = digitalSignature, keyEncipherment
extendedKeyUsage        = serverAuth, clientAuth
subjectKeyIdentifier    = hash                          # this first
authorityKeyIdentifier  = keyid:always, issuer:always   # and now this

[ req ]

# req(1) options
#
distinguished_name      = ca_distinguished_name
prompt                  = no
string_mask             = nombstr

# ca(1) options
#
dir             = .                     # Where everything is kept
database        = $dir/index.txt        # Issued cert database
new_certs_dir   = $dir/newcerts         # default place for new certs.
serial          = $dir/serial           # The current serial number
certificate     = $dir/cacert.pem       # The CA certificate
private_key     = $dir/cakey.pem        # The private key
unique_subject  = no                    # Set to 'no' to allow creation of
                                        # several certs with same subject.
email_in_dn     = yes
policy          = policy_match

Reply via email to