Hi,
my receipt to generate a CSR for the root CA is as follows:
#
# generate a Certificate Signing Request to be submitted to the CA
# @input:
# - the key to be certified, i.e. the servers key
# - the servers credentials such as DN
#
%.root.csr.pem: %.key.sec.pem \
$(ROOTCA)/openssl.cnf
$(MKDIR) -p $(@D)
openssl req \
-new \
-out $@ \
-key $< \
-subj $($*Name) \
-config $(ROOTCA)/openssl.cnf \
$($(basename $(basename $(basename $(@F))))Extension)
While the config file as well as the CA folder structure are generated on the
fly, if not already exist, as follows:
$(ROOTCA)/openssl.cnf:
$(MKDIR) -p $(@D)/{crl,certs,newcerts,private}
test -f $(@D)/index.txt || touch $(@D)/index.txt
test -f $(@D)/serial || echo 1001 >$(@D)/serial
sed -e 's/demoCA/$(@D)/g' <$(CONFIG) >$@
echo -e "\n# -- RootCA section --------------------------" >>$@
sed -n '/^\[\s*v3_ca\s*\]/,/^\[/p' <$(CONFIG) \
|sed -e '$$d' \
-e 's|v3_ca|v3_root_ca|' \
-e 's|^\(basicConstraints\).*|\1 = CA:true,pathlen:1|' \
-e 's|^#\s*\(keyUsage.*\)|\1|' \
>> $@
echo -e "\n# -- SubCA section --------------------------" >>$@
sed -n '/^\[\s*v3_ca\s*\]/,/^\[/p' <$(CONFIG) \
|sed -e '$$d' \
-e 's|v3_ca|v3_sub_ca|' \
-e 's|^\(basicConstraints\).*|\1 = CA:true,pathlen:0|' \
-e 's|^#\s*\(keyUsage.*\)|\1|' \
>> $@
echo -e "\n# -- Client section --------------------------" >>$@
sed -n '/^\[\s*usr_cert\s*\]/,/^\[/p' <$(CONFIG) \
|sed -e '$$d' \
-e 's|usr_cert|client_cert|' \
-e 's|^#\s*\(keyUsage.*\)|\1|' \
>> $@
I use '-extensions v3_root_ca' for the root CA and '-extensions client_cert'
for a "derived" server and client certificate. If I have a subCA in between I
use 'v3_sub_ca' respectively.
The Certificate is generated by the following receipt:
#
# generate the certificate issued by root
# @input:
# - the certificate request from the target
# - the root CA's certificate (self signed ?)
# - the root CA's secret key
# - serial number will be generated on the fly
#
%.root.crt.pem: %.root.csr.pem \
$(ROOTCA)/cacert.pem \
$(ROOTCA)/private/cakey.pem \
$(ROOTCA)/openssl.cnf
$(MKDIR) -p $(@D)
openssl ca \
-in $< \
-days $($(subst .root.crt.pem,,$(@F))Duration) \
-keyfile $(filter %cakey.pem,$^) \
-cert $(filter %cacert.pem,$^) \
-config $(ROOTCA)/openssl.cnf \
-batch \
-notext \
$($(basename $(basename $(basename $(@F))))Extension)
find $(ROOTCA)/newcerts -name "*.pem" | tail -1 | while read f; do
\
$(CP) $$f $@;
\
openssl x509 -hash -noout -in $$f | while read g; do
\
$(MV) $$f $(ROOTCA)/certs;
\
gen=`ls $(ROOTCA)/certs/$$g.*|awk -F "." 'BEGIN{x=0}{x=$$2 +
1}END{print x}'`;\
$(LN) -sf `basename $$f` $(ROOTCA)/certs/$$g.$$gen;
\
done;
\
done
With this, I did not recognise any problem with the duration. To be honest, in
my playground environment, I play with several validity periods which seems to
work as I see expiration errors when expected.
Regarding your question to omit the passphrase in step 2:
If you don't want the secret key being encrypted, omit the -des3 switch which
triggers the encryption and in turn the request to enter the passphrase.
If you want encryption but pass a default passphrase, use the -passout switch.
Look for 'PASS PHRASE ARGUMENTS' in openssl(1).
The public key certainly lives aside the private key (same file) and is
replicated within the certificate file. I would be surprised if you need it
separately.
If something seems to be crucial, I would appreciate any comment.
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Hopkins, Nathan
Sent: Donnerstag, 18. August 2011 12:45
To: openssl-users@openssl.org
Subject: Becoming a CA for group of internal servers?
Please can you advise if this the correct process for becoming a CA for
internally for group of servers?
1)
openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -key ca.key -out ca.crt
2)
openssl genrsa -des3 -out ukx01137.key 2048
openssl req -new -key server.key -out server.csr
3)
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial
server.crt -days 365
A few questions that help would be much appreciated for...
How do you omit a pass phrase in step 2) ?
The -days 365 doesn't seem to work - do I need to change openssl.cnf?
Where does the public key live ?
**********************************************************************
"LEGAL DISCLAIMER: As you are aware, messages sent by eMail can be manipulated
or diverted by third parties. If not mentioned otherwise our eMail messages are
generally not legally binding. This electronic message (including any
attachments) contains confidential information and may be legally privileged or
otherwise protected from disclosure and as such is intended only for the use by
the intended recipients. Please be aware that any unauthorized disclosure,
copy, distribution or use of the contents of this message is expressly
prohibited. If you have received this eMail in error please understand that you
must not copy this eMail or any attachment or disclose the contents to any
other person. Please notify us immediately by reply eMail and delete this
message and any attachments from your system. Thank you for your cooperation".
The FP Group
**********************************************************************
