Hi folks,
I'm setting up a new CA/SSL infrastructure for work - the CA is self
signed and all SSL certs (mostly server certs rather than client certs)
will be signed off against this CA.
I've just made the effort to try to actually understand SSL a bit better
rather than monkey churning brokens certs out - so I'd really value a
quick eyeball of my config and some text dumps of sample certs if anyone
has a mo.
Revocation crl would be published in this example at:
http://www.example.com/ssl/CA-example.com.crl
I do apologise - it's a long post. I'm just not totally sure if I have
the correct attributes and extensions - and whether it meets the
requirements of a v3 SSL cert (I think it does). Is 4096 bit key and
sha1 a good choice?
And is the revocation bit done correctly (assuming I actually maintain a
CRL from openssl ca -gencrl at the url above?
Here goes:
================ config =====================
We use [v3_ca] for the CA, [server_cert] for server certs,
[client_cert] for clients - Sorry slight line wrap
The common name varies by the cert, but the rest is constant.
=============================================
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /home/tw/WORK/Devel/SSL-Certs
database = /home/tw/WORK/Devel/SSL-
Certs/.data/index.txt
new_certs_dir = /home/tw/WORK/Devel/SSL-Certs/.data
serial = /home/tw/WORK/Devel/SSL-Certs/.data/serial
RANDFILE = /home/tw/WORK/Devel/SSL-Certs/.data/.rand
x509_extensions = server_cert
default_days = 395
default_crl_days = 395
default_md = sha1
preserve = no
policy = policy
unique_subject = yes
email_in_dn = no
[ server_cert ]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Certificate"
nsCaRevocationUrl = http://www.example.com/ssl/CA-
example.com.crl
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
issuerAltName = issuer:copy
subjectAltName = email:copy
[ client_cert ]
basicConstraints = CA:FALSE
nsCertType = client, email, objsign
nsComment = "OpenSSL Generated Certificate"
nsCaRevocationUrl = http://www.example.com/ssl/example.com.crl
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
issuerAltName = issuer:copy
subjectAltName = email:copy
keyUsage = digitalSignature, keyEncipherment
[ policy ]
countryName = supplied
stateOrProvinceName = supplied
organizationName = supplied
organizationalUnitName = supplied
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
string_mask = nombstr
req_extensions = v3_req
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = GB
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = London
localityName = Locality Name (eg, city)
localityName_default = Trafalger Square
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Exampel Widgets Inc
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Systems Group
commonName = Common Name
commonName_default = example.com
commonName_max = 64
emailAddress = Email Address
emailAddress_default = syst...@example.com
emailAddress_max = 40
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true
nsCertType = sslCA, emailCA
issuerAltName = issuer:copy
nsComment = "OpenSSL Generated Certificate"
nsCaRevocationUrl = http://www.example.com/ssl/CA-
example.com.crl
subjectAltName = email:copy
keyUsage = critical, keyCertSign, cRLSign
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature,
keyEncipherment
[ req_attributes ]
[ crl_ext ]
authorityKeyIdentifier = keyid:always,issuer:always
==================== End config ==============================
========== Sample CA text dump ===============================
generated with:
openssl req -new -batch -keyform PEM -outform PEM -config
.temp/sslconfig.cnf -out .temp/CA-example.com.csr -keyout .temp/CA-
example.com.key -extensions v3_ca -sha1
and
openssl ca -config .temp/sslconfig.cnf -create_serial -out .temp/CA-
example.com.crt -days 3660 -batch -keyfile .temp/CA-example.com.key -
selfsign -extensions v3_ca -in .temp/CA-example.com.csr
==============================================================
% openssl x509 -in certs/CA-example.com.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1048576 (0x100000)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=GB, ST=London, O=Exampel Widgets Inc, OU=Systems Group,
CN=example.com/emailAddress=syst...@example.com
Validity
Not Before: May 19 08:43:17 2011 GMT
Not After : May 26 08:43:17 2021 GMT
Subject: C=GB, ST=London, O=Exampel Widgets Inc, OU=Systems Group,
CN=example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Modulus (4096 bit):
<snip hex> Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
4D:33:FC:AD:66:76:FB:9F:13:B1:77:1E:C4:FC:03:0B:3D:C8:BB:33
X509v3 Authority Key Identifier:
keyid:4D:33:FC:AD:66:76:FB:9F:13:B1:77:1E:C4:FC:03:0B:3D:C8:BB:33
DirName:/C=GB/ST=London/O=Exampel Widgets Inc/OU=Systems
Group/CN=example.com/emailAddress=syst...@example.com
serial:10:00:00
X509v3 Basic Constraints:
CA:TRUE
Netscape Cert Type:
SSL CA, S/MIME CA
X509v3 Issuer Alternative Name:
<EMPTY>
Netscape Comment:
OpenSSL Generated Certificate
Netscape CA Revocation Url:
http://www.example.com/ssl/CA-example.com.crl
X509v3 Subject Alternative Name:
email:syst...@example.com
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Signature Algorithm: sha1WithRSAEncryption
<snip hex>
==================== End CA dump ==============================
==================== Server cert ==============================
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1048577 (0x100001)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=GB, ST=London, O=Exampel Widgets Inc, OU=Systems Group,
CN=example.com
Validity
Not Before: May 19 08:45:46 2011 GMT
Not After : May 18 08:45:46 2012 GMT
Subject: C=GB, ST=London, O=Exampel Widgets Inc, OU=Systems Group,
CN=www.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Modulus (4096 bit):
<snip hex>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Certificate
Netscape CA Revocation Url:
http://www.example.com/ssl/CA-www.example.com.crl
X509v3 Subject Key Identifier:
DE:96:E9:01:C8:6E:70:53:56:07:E9:0A:B4:AA:34:7B:47:51:34:31
X509v3 Authority Key Identifier:
keyid:4D:33:FC:AD:66:76:FB:9F:13:B1:77:1E:C4:FC:03:0B:3D:C8:BB:33
DirName:/C=GB/ST=London/O=Exampel Widgets Inc/OU=Systems
Group/CN=example.com/emailAddress=syst...@example.com
serial:10:00:00
X509v3 Issuer Alternative Name:
email:syst...@example.com
X509v3 Subject Alternative Name:
email:syst...@example.com
Signature Algorithm: sha1WithRSAEncryption
<snip hex>
-----BEGIN CERTIFICATE-----
<snip>
==================== End server cert ==========================
==================== Client cert ==============================
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1048578 (0x100002)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=GB, ST=London, O=Exampel Widgets Inc, OU=Systems Group,
CN=example.com
Validity
Not Before: May 19 08:47:26 2011 GMT
Not After : May 18 08:47:26 2012 GMT
Subject: C=GB, ST=London, O=Exampel Widgets Inc, OU=Systems Group,
CN=marky.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Modulus (4096 bit):
<snip hex> Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME, Object Signing
Netscape Comment:
OpenSSL Generated Certificate
Netscape CA Revocation Url:
http://www.example.com/ssl/marky.example.com.crl
X509v3 Subject Key Identifier:
71:E4:02:DA:96:E9:8A:B6:48:89:4D:B9:B7:8C:64:0B:CD:9B:81:F3
X509v3 Authority Key Identifier:
keyid:4D:33:FC:AD:66:76:FB:9F:13:B1:77:1E:C4:FC:03:0B:3D:C8:BB:33
DirName:/C=GB/ST=London/O=Exampel Widgets Inc/OU=Systems
Group/CN=example.com/emailAddress=syst...@example.com
serial:10:00:00
X509v3 Issuer Alternative Name:
email:syst...@example.com
X509v3 Subject Alternative Name:
email:syst...@example.com
X509v3 Key Usage:
Digital Signature, Key Encipherment
Signature Algorithm: sha1WithRSAEncryption
<snip hex>
-----BEGIN CERTIFICATE-----
<snip>
==================== End client cert ==========================
Many thanks for any comments!
Cheers,
Tim
--
Tim Watts
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
