This article describes how to create your own root CA under Windows by using the OpenSSL tools.
It is roughly based on https://jamielinux.com/docs/openssl-certificate-authority/
I use it to create a SSL intercept certificate.
- Download the software
- Create the directory tree
- Create an openssl.conf file in your root CA
- Create a private key
Download the software
Get the OpenSSL software for windows from http://indy.fulgan.com/SSL/
Extract the files to a work directory that will become the root directory of you setup.
Create the directory tree
Go to you work directory. The execute the following commands:- mkdir root_CA
- cd root_CA
- mkdir certs
- mkdir crl
- mkdir newcerts
- mkdir private
- echo 10000 > serial
- echo 2>index.txt
Create openssl.conf file
….. To be documented …..
Create Key
Use the following command to generate a key and think of a strong password that you can remember!
..\openssl genrsa -aes256 -out private\ca.key.pem 4096
The output looks like:
WARNING: can’t open config file: /usr/local/ssl/openssl.cnf
Loading ‘screen’ into random state – done
Generating RSA private key, 4096 bit long modulus
…..++
………..++
unable to write ‘random state’
e is 65537 (0×10001)
Enter pass phrase for private\ca.key.pem:
Verifying – Enter pass phrase for private\ca.key.pem:
Create your root Certificate
The command would be:
..\openssl req -config openssl.conf -key private\ca.key.pem -new -x509 -days 7305 -sha256 -xtensions v3_ca -out certs\ca.cert.pem
The output looks something like this:
WARNING: can’t open config file: /usr/local/ssl/openssl.cnf
Enter pass phrase for private\ca.key.pem:
Loading ‘screen’ into random state – done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
——-
Country Name (2 letter code) [NL]:
State or Province Name [Zuid-Holland]:
Locality Name [Delft]:
Organization Name [Qi ict]:
Organizational Unit Name []:ca.qi.nl
Common Name []:ca.qi.nl
Email Address []:hugo_van_der_kooij@qi.nl
I found the warning a bit odd as it is clear that the openssl.con file is in fact used.
And we can verify our certificate with: ..\openssl x509 -noout -text -in certs\ca.cert.pem
It should match the information you typed in earlier and look like:
WARNING: can’t open config file: /usr/local/ssl/openssl.cnf
Certificate:
Data:
Version: 3 (0×2)
Serial Number:
f5:3b:c9:18:82:e2:7f:4c
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=NL, ST=Zuid-Holland, L=Delft, O=Qi ict, OU=ca.qi.nl, CN=ca.qi.
nl/emailAddress=hugo_van_der_kooij@qi.nl
Validity
Not Before: Jul 24 09:59:56 2015 GMT
Not After : Jul 24 09:59:56 2035 GMT
Subject: C=NL, ST=Zuid-Holland, L=Delft, O=Qi ict, OU=ca.qi.nl, CN=ca.qi
.nl/emailAddress=hugo_van_der_kooij@qi.nl
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:d4:15:24:b3:5f:e2:11:e5:b6:25:9e:51:9d:bd:
49:0f:c0:f6:14:9f:a9:06:b9:e7:4b:a2:67:55:9e:
a6:22:f4:a6:cc:82:00:7f:ee:13:cf:99:9e:bb:f2:
56:43:73:c8:8a:47:7f:c0:1c:9a:cd:e5:e7:46:9d:
44:4e:4d:d6:d6:c9:0c:08:e0:89:68:7f:a9:c6:2b:
f3:86:82:fe:bd:0d:0f:43:fd:61:dc:6b:9d:e6:0b:
cd:e7:15:63:6a:f3:d9:68:ff:02:cc:96:80:54:14:
5a:9a:b2:b5:d3:4b:19:98:a7:b4:c7:3b:6f:44:2c:
28:76:2f:a4:c8:04:76:9a:61:ce:88:e3:42:89:26:
d7:0a:8d:e7:a9:bd:b0:42:22:29:fc:50:a5:69:21:
be:43:80:66:ba:89:1f:26:81:0f:31:a3:4f:6d:bc:
c8:f1:5a:95:83:1f:fc:db:91:d4:af:f2:5f:3d:25:
e2:6c:d2:04:67:15:87:19:d5:95:c3:4b:b9:42:49:
c7:20:b2:a9:d1:1a:7e:89:ed:cb:ae:e9:fc:3d:7c:
5f:34:3f:db:fd:ff:f7:c8:ed:40:c5:20:2d:86:34:
8b:47:bd:da:25:80:5f:89:9b:2b:ad:92:59:11:2a:
84:1c:d0:4b:c0:10:57:fa:28:f8:a7:70:f5:fe:b9:
df:50:bb:e6:f0:fa:9d:db:16:b7:6d:de:00:fd:6e:
3e:2a:a2:dd:6d:89:ee:23:cb:34:44:0d:48:71:d3:
cd:cf:74:bc:2f:bc:af:37:7d:3b:00:11:16:30:20:
af:f4:30:88:eb:3b:6d:4a:f4:95:ce:dc:38:ad:8a:
5f:5b:60:f5:84:59:15:f5:83:c1:f9:a7:de:c9:98:
ad:10:62:b8:b7:c5:17:3d:f5:d5:92:1b:6d:bf:9d:
1c:76:70:63:03:a2:9f:af:7b:1d:34:92:4f:e4:97:
fc:4e:ce:d2:6f:b7:7c:84:87:e5:b0:ee:59:78:e9:
63:b8:33:32:6e:cd:4a:d0:7d:54:c5:1c:a6:f2:c4:
56:ba:fd:7f:7a:02:fc:3c:11:bd:6f:8c:40:3a:3a:
f0:bd:6b:af:ba:72:84:2f:eb:10:69:69:6a:da:42:
ea:c7:9a:ac:f3:bc:59:02:4d:1b:a6:00:8b:20:0d:
50:77:7a:31:fd:be:f0:87:80:d9:1c:0b:19:fd:6d:
b4:82:03:d1:63:ae:80:19:ee:a2:6a:31:29:94:6c:
c5:bd:19:88:73:15:08:83:a2:be:6f:7c:36:1a:6a:
5e:5b:87:a6:9d:8e:f8:9a:75:77:01:8c:6d:5d:40:
3d:8e:7e:61:6d:d6:4a:bb:bf:93:da:93:3d:d2:25:
21:dd:31
Exponent: 65537 (0×10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
0A:6B:4E:49:15:39:9F:A9:1A:B6:A5:BE:8E:A4:FB:4A:EE:E4:49:80
X509v3 Authority Key Identifier:
keyid:0A:6B:4E:49:15:39:9F:A9:1A:B6:A5:BE:8E:A4:FB:4A:EE:E4:49:8
0
Create you CA config
….. to be done later …..Create CA (ProxySG) key
..\openssl genrsa -aes256 -out proxysg.key.pem 2048 WARNING: can't open config file: /usr/local/ssl/openssl.cnf Loading 'screen' into random state - done Generating RSA private key, 2048 bit long modulus .........+++ ......+++ unable to write 'random state' e is 65537 (0x10001) Enter pass phrase for proxysg.key.pem: Verifying - Enter pass phrase for proxysg.key.pem:Create CA (ProxySG) CSR
..\openssl req -config openssl.conf -new -sha256 -key proxysg.key.pem -out proxysg.csr.pem WARNING: can't open config file: /usr/local/ssl/openssl.cnf Enter pass phrase for proxysg.pkey.pem: Loading 'screen' into random state - done You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [NL]: State or Province Name [Zuid-Holland]: Locality Name [Delft]: Organization Name [Qi ict]: Organizational Unit Name []:LAB Common Name []:proxysg.qi.nl Email Address []:hugo_van_der_kooij@qi.nlSign the CA certificate
Go to the CA root directory.
cd ..\root_CA
Sign the certificate
..\openssl ca -config openssl.conf -extensions v3_intermediate_ca -days 3653 -notext -md sha256 -in ..\ProxySG\proxysg.csr.pem -out ..\ProxySG\proxysg.cert.pem
WARNING: can’t open config file: /usr/local/ssl/openssl.cnf
Using configuration from openssl.conf
Loading ‘screen’ into random state – done
Enter pass phrase for ./private/ca.key.pem:
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:‘NL’
stateOrProvinceName :ASN.1 12:‘Zuid-Holland’
localityName :ASN.1 12:‘Delft’
organizationName :ASN.1 12:‘Qi ict’
organizationalUnitName:ASN.1 12:‘LAB’
commonName :ASN.1 12:‘proxysg.qi.nl’
emailAddress :IA5STRING:‘hugo_van_der_kooij@qi.nl’
Certificate is to be certified until Jul 24 11:01:59 2025 GMT (3653 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
unable to write ‘random state’
Reacties
Op dit artikel kan niet gereageerd worden.