Create a root CA under Windows with OpenSSL

Geplaatst
Reacties Geen

This article describes how to create your own root CA under Windows by using the OpenSSL tools.
It is roughly based on https://jamielinux.com/docs/openssl-certificate-authority/
I use it to create a SSL intercept certificate.

The plan:
  1. Download the software
  2. Create the directory tree
  3. Create an openssl.conf file in your root CA
  4. Create a private key

Download the software

Get the OpenSSL software for windows from http://indy.fulgan.com/SSL/
Extract the files to a work directory that will become the root directory of you setup.

Create the directory tree

Go to you work directory. The execute the following commands:
  1. mkdir root_CA
  2. cd root_CA
  3. mkdir certs
  4. mkdir crl
  5. mkdir newcerts
  6. mkdir private
  7. echo 10000 > serial
  8. echo 2>index.txt

Create openssl.conf file

….. To be documented …..

Create Key

Use the following command to generate a key and think of a strong password that you can remember!
..\openssl genrsa -aes256 -out private\ca.key.pem 4096

The output looks like:
WARNING: can’t open config file: /usr/local/ssl/openssl.cnf
Loading ‘screen’ into random state – done
Generating RSA private key, 4096 bit long modulus
…..++
………..++
unable to write ‘random state’
e is 65537 (0×10001)
Enter pass phrase for private\ca.key.pem:
Verifying – Enter pass phrase for private\ca.key.pem:

Create your root Certificate

The command would be:
..\openssl req -config openssl.conf -key private\ca.key.pem -new -x509 -days 7305 -sha256 -xtensions v3_ca -out certs\ca.cert.pem

The output looks something like this:
WARNING: can’t open config file: /usr/local/ssl/openssl.cnf
Enter pass phrase for private\ca.key.pem:
Loading ‘screen’ into random state – done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
——-
Country Name (2 letter code) [NL]:
State or Province Name [Zuid-Holland]:
Locality Name [Delft]:
Organization Name [Qi ict]:
Organizational Unit Name []:ca.qi.nl
Common Name []:ca.qi.nl
Email Address []:hugo_van_der_kooij@qi.nl

I found the warning a bit odd as it is clear that the openssl.con file is in fact used.

And we can verify our certificate with: ..\openssl x509 -noout -text -in certs\ca.cert.pem

It should match the information you typed in earlier and look like:
WARNING: can’t open config file: /usr/local/ssl/openssl.cnf
Certificate: Data: Version: 3 (0×2) Serial Number: f5:3b:c9:18:82:e2:7f:4c Signature Algorithm: sha256WithRSAEncryption Issuer: C=NL, ST=Zuid-Holland, L=Delft, O=Qi ict, OU=ca.qi.nl, CN=ca.qi.
nl/emailAddress=hugo_van_der_kooij@qi.nl Validity Not Before: Jul 24 09:59:56 2015 GMT Not After : Jul 24 09:59:56 2035 GMT Subject: C=NL, ST=Zuid-Holland, L=Delft, O=Qi ict, OU=ca.qi.nl, CN=ca.qi
.nl/emailAddress=hugo_van_der_kooij@qi.nl Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:d4:15:24:b3:5f:e2:11:e5:b6:25:9e:51:9d:bd: 49:0f:c0:f6:14:9f:a9:06:b9:e7:4b:a2:67:55:9e: a6:22:f4:a6:cc:82:00:7f:ee:13:cf:99:9e:bb:f2: 56:43:73:c8:8a:47:7f:c0:1c:9a:cd:e5:e7:46:9d: 44:4e:4d:d6:d6:c9:0c:08:e0:89:68:7f:a9:c6:2b: f3:86:82:fe:bd:0d:0f:43:fd:61:dc:6b:9d:e6:0b: cd:e7:15:63:6a:f3:d9:68:ff:02:cc:96:80:54:14: 5a:9a:b2:b5:d3:4b:19:98:a7:b4:c7:3b:6f:44:2c: 28:76:2f:a4:c8:04:76:9a:61:ce:88:e3:42:89:26: d7:0a:8d:e7:a9:bd:b0:42:22:29:fc:50:a5:69:21: be:43:80:66:ba:89:1f:26:81:0f:31:a3:4f:6d:bc: c8:f1:5a:95:83:1f:fc:db:91:d4:af:f2:5f:3d:25: e2:6c:d2:04:67:15:87:19:d5:95:c3:4b:b9:42:49: c7:20:b2:a9:d1:1a:7e:89:ed:cb:ae:e9:fc:3d:7c: 5f:34:3f:db:fd:ff:f7:c8:ed:40:c5:20:2d:86:34: 8b:47:bd:da:25:80:5f:89:9b:2b:ad:92:59:11:2a: 84:1c:d0:4b:c0:10:57:fa:28:f8:a7:70:f5:fe:b9: df:50:bb:e6:f0:fa:9d:db:16:b7:6d:de:00:fd:6e: 3e:2a:a2:dd:6d:89:ee:23:cb:34:44:0d:48:71:d3: cd:cf:74:bc:2f:bc:af:37:7d:3b:00:11:16:30:20: af:f4:30:88:eb:3b:6d:4a:f4:95:ce:dc:38:ad:8a: 5f:5b:60:f5:84:59:15:f5:83:c1:f9:a7:de:c9:98: ad:10:62:b8:b7:c5:17:3d:f5:d5:92:1b:6d:bf:9d: 1c:76:70:63:03:a2:9f:af:7b:1d:34:92:4f:e4:97: fc:4e:ce:d2:6f:b7:7c:84:87:e5:b0:ee:59:78:e9: 63:b8:33:32:6e:cd:4a:d0:7d:54:c5:1c:a6:f2:c4: 56:ba:fd:7f:7a:02:fc:3c:11:bd:6f:8c:40:3a:3a: f0:bd:6b:af:ba:72:84:2f:eb:10:69:69:6a:da:42: ea:c7:9a:ac:f3:bc:59:02:4d:1b:a6:00:8b:20:0d: 50:77:7a:31:fd:be:f0:87:80:d9:1c:0b:19:fd:6d: b4:82:03:d1:63:ae:80:19:ee:a2:6a:31:29:94:6c: c5:bd:19:88:73:15:08:83:a2:be:6f:7c:36:1a:6a: 5e:5b:87:a6:9d:8e:f8:9a:75:77:01:8c:6d:5d:40: 3d:8e:7e:61:6d:d6:4a:bb:bf:93:da:93:3d:d2:25: 21:dd:31 Exponent: 65537 (0×10001) X509v3 extensions: X509v3 Subject Key Identifier: 0A:6B:4E:49:15:39:9F:A9:1A:B6:A5:BE:8E:A4:FB:4A:EE:E4:49:80 X509v3 Authority Key Identifier: keyid:0A:6B:4E:49:15:39:9F:A9:1A:B6:A5:BE:8E:A4:FB:4A:EE:E4:49:8
0

X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign Signature Algorithm: sha256WithRSAEncryption 6a:54:95:e0:86:e1:14:a8:e3:ea:3e:7b:9a:45:52:b8:a1:de: c0:c8:f5:f3:f1:43:9c:02:bc:ec:8d:47:28:d5:c9:98:52:73: 36:b5:b2:ce:5b:b2:26:ce:b6:03:00:a5:9d:e7:7e:03:c1:53: 82:97:f5:50:d4:c5:4f:5f:6e:85:2b:37:99:fe:4c:c3:8a:83: 73:0b:18:e6:c2:89:85:84:8f:fa:f3:69:d6:19:f1:c8:17:08: 51:d5:7a:0a:cc:92:b0:ec:e2:e1:4c:c7:45:ff:59:e0:57:00: f3:50:3b:84:e2:f0:16:71:02:c3:f4:35:e1:93:81:35:bf:71: ce:d8:cc:84:60:d0:91:0b:54:d2:21:86:af:57:d4:56:36:94: ad:a0:f1:32:6d:c1:4f:6b:30:59:21:cb:d0:c2:e4:81:43:b1: 5e:51:73:6b:51:a3:b2:48:7b:09:ea:12:2d:2a:08:d9:a2:f4: df:0c:ae:2e:54:e4:7c:11:fd:ba:04:1d:32:9d:50:6a:32:48: a2:16:83:da:95:b4:fe:20:d7:02:b3:f4:43:27:77:24:74:f6: 75:6c:4c:79:35:6d:85:f5:7a:5c:37:42:a1:b8:00:f4:6c:32: 37:7d:e3:f5:a8:33:79:b2:ac:ba:c5:13:e3:77:2d:19:d5:40: 8d:4d:fa:85:7c:c7:ab:d1:cf:f2:da:47:ca:37:69:dd:f8:a3: 7e:06:9b:b1:b5:04:d4:aa:33:f8:9b:26:fc:1a:b5:71:a6:91: 71:42:f5:03:76:58:6d:fb:de:0c:f5:e2:b9:4c:fd:be:0e:86: 13:63:fe:f2:42:e8:4d:68:f5:7a:f5:ad:91:79:31:12:36:ec: 9d:80:a8:f5:32:c7:46:34:16:40:ef:de:43:d0:fe:d9:ca:be: 88:ca:e9:23:6c:da:15:08:b3:02:9c:cf:4c:26:54:6f:98:50: 39:f9:e0:8f:1c:51:36:41:12:d4:41:a9:a5:01:ba:92:bf:77: 53:de:f7:76:f5:02:7b:c7:f0:f6:77:92:0e:7f:5f:01:4f:ba: 56:e2:dc:0f:f1:dc:dc:9a:ae:69:f1:05:85:9e:6c:8f:8b:ec: 82:4d:ea:d8:26:68:b3:3e:06:8b:77:3b:b0:80:cb:49:24:0b: cf:2f:1c:5d:1e:f3:8b:db:42:01:c4:7b:af:5d:8d:b7:a5:21: 63:47:51:1a:d1:33:84:30:78:a8:f5:00:1c:ac:b5:18:a0:10: 6d:b9:37:a3:c1:6f:bf:90:82:59:0a:46:7a:74:8a:c5:60:42: ea:a2:b9:90:17:eb:f3:19:8f:55:48:5f:21:d8:45:e1:ba:37: 97:1a:2b:cf:da:02:e7:11

Create you CA config

….. to be done later …..

Create CA (ProxySG) key

..\openssl genrsa -aes256 -out proxysg.key.pem 2048 WARNING: can't open config file: /usr/local/ssl/openssl.cnf Loading 'screen' into random state - done Generating RSA private key, 2048 bit long modulus .........+++ ......+++ unable to write 'random state' e is 65537 (0x10001) Enter pass phrase for proxysg.key.pem: Verifying - Enter pass phrase for proxysg.key.pem:

Create CA (ProxySG) CSR

..\openssl req -config openssl.conf -new -sha256 -key proxysg.key.pem -out proxysg.csr.pem WARNING: can't open config file: /usr/local/ssl/openssl.cnf Enter pass phrase for proxysg.pkey.pem: Loading 'screen' into random state - done You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [NL]: State or Province Name [Zuid-Holland]: Locality Name [Delft]: Organization Name [Qi ict]: Organizational Unit Name []:LAB Common Name []:proxysg.qi.nl Email Address []:hugo_van_der_kooij@qi.nl

Sign the CA certificate

Go to the CA root directory.
cd ..\root_CA

Sign the certificate
..\openssl ca -config openssl.conf -extensions v3_intermediate_ca -days 3653 -notext -md sha256 -in ..\ProxySG\proxysg.csr.pem -out ..\ProxySG\proxysg.cert.pem

WARNING: can’t open config file: /usr/local/ssl/openssl.cnf
Using configuration from openssl.conf
Loading ‘screen’ into random state – done
Enter pass phrase for ./private/ca.key.pem:
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:‘NL’
stateOrProvinceName :ASN.1 12:‘Zuid-Holland’
localityName :ASN.1 12:‘Delft’
organizationName :ASN.1 12:‘Qi ict’
organizationalUnitName:ASN.1 12:‘LAB’
commonName :ASN.1 12:‘proxysg.qi.nl’
emailAddress :IA5STRING:‘hugo_van_der_kooij@qi.nl’
Certificate is to be certified until Jul 24 11:01:59 2025 GMT (3653 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
unable to write ‘random state’

Medewerker
Categorie

Reacties

Op dit artikel kan niet gereageerd worden.

← Ouder Nieuwer →