Skip to content

Instantly share code, notes, and snippets.

@indygwyn

indygwyn/README-minimal-CA.md

Forked from drmalex07/README-minimal-CA.md
Created August 25, 2019 23:05
Show Gist options
  • Save indygwyn/97d73c2cac588b1e99012924b08b8471 to your computer and use it in GitHub Desktop.
Save indygwyn/97d73c2cac588b1e99012924b08b8471 to your computer and use it in GitHub Desktop.
Download ZIP
Setup a minimal certificate authority. #ca #minimal-ca #certificate #certificate-authority
Raw
README-minimal-CA.md

Setup minimal Certificate Authority (CA)

1. Setup directory

Setup a directory to be used as the root of the certificate authority, e.g /home/user/documents/identity/ca.

First, create the root key/certificate pair root.{key,crt} that will be used to sign client requests. For example:

    openssl genrsa -out root.key 4096
    chmod 0600 root.key
    openssl req -new -x509 -days 730 -key root.key -out root.crt

Create the master configuration file ca.conf. For example:

[ca]

default_ca = default

[default]

dir = /home/user/documents/identity/ca
certs = $dir
new_certs_dir = $dir/certs
database = $dir/index
serial = $dir/serial
crlnumber = $dir/crlnumber
certificate = $dir/root.crt
private_key = $dir/root.key
default_days = 365
default_crl_days = 30
default_md = sha1
preserve = no
RANDFILE = $dir/random
policy = default_policy

[default_policy]

countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = supplied
organizationalUnitName = supplied
commonName = supplied
emailAddress = optional

Now, create all required files/directories:

    mkdir certs # database of signed certificates
    touch index # index of signed certificates
    echo "01" > serial # Initialize the serial number for numbering certificates
    echo "01" > crlnumber # Initialize the serial number for numbering revokation lists (CRLs)

2. Sign a certificate

Say with have a signing request (CSR) in file foo.csr. Sign and produce certificate foo.crt:

openssl ca -config ca.conf -verbose -in foo.csr -out foo.crt

3. Export revocation list (CRL)

From time to time, some certificates that we have signed will get revoked (e.g. because they are replaced by others, or because some authority is revoked to the client behind them). Each time we should regenerate the revocation list (CRL) to reflect the present state.

Initially, generate the empty CRL root.crl:

openssl ca -config ca.conf -gencrl -out root.crl

We can inspect a CRL file:

openssl crl -in root.crl -crlnumber -text

Say that foo.crt should be revoked. Revoke it (the CA database at index is updated), and then regenerate CRL file:

openssl ca -config ca.conf -revoke foo.crt
openssl ca -config ca.conf -gencrl -out root.crl

If we inspect the CRL file root.crl we should now see the serial number of the revoked certificate.

@adrian154
Copy link

thanks so much for this, this is exactly what i needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment