# CREATE DIRECTORIES AND CONFIGS FOR ROOT CA mkdir -p /data/ca cd /data/ca mkdir certs crl newcerts private chmod 700 private touch index.txt echo 1000 > serial wget http://store.alexlinux.com/configs/openssl/ownCA/openssl_root_CA.cnf mv openssl_root_CA.cnf openssl.cnf openssl genrsa -aes256 -out private/ca.key 4096
Enter pass phrase for private/ca.key:123123
Verifying – Enter pass phrase for private/ca.key:123123
chmod 400 private/ca.key openssl req -config openssl.cnf -key private/ca.key -new -x509 -days 7300 \ -sha256 -extensions v3_ca -out certs/ca.crt
Enter pass phrase for private/ca.key:123123
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [RU]:ENTER
State or Province Name (full name) [Moscow]:ENTER
Locality Name (eg, city) [Moscow]:ENTER
Organization Name (eg, company) [Alexlinux Ltd]:ENTER
Common Name (eg, your name or your server’s hostname)
[Alexlinux Root CA]:ENTER
[email protected] []:ENTER
# SET PERMISSIONS chmod 444 certs/ca.crt
# CREATE DIRECTORIES AND CONFIGS FOR INTERMEDIATE CA mkdir -p /data/ca/intermediate cd /data/ca/intermediate mkdir certs crl csr newcerts private chmod 700 private touch index.txt echo 1000 > serial echo 1000 > /data/ca/intermediate/crlnumber wget http://store.alexlinux.com/configs/openssl/ownCA/openssl_intermediate_CA.cnf mv openssl_intermediate_CA.cnf openssl.cnf cd /data/ca
# GENERATE PRIVATE KEY FOR INTERMEDIATE CA openssl genrsa -aes256 -out intermediate/private/intermediate.key 4096
Enter pass phrase for intermediate/private/intermediate.key:
123123
Verifying – Enter pass phrase for intermediate/private/intermediate.key:
123123
chmod 400 intermediate/private/intermediate.key # GENERATE CSR FROM PRIVATE KEY openssl req -config intermediate/openssl.cnf -new -sha256 -key \ intermediate/private/intermediate.key -out intermediate/csr/intermediate.csr
Enter pass phrase for intermediate/private/intermediate.key:
123123
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [RU]:ENTER
State or Province Name [Moscow]:ENTER
Locality Name [Moscow]:ENTER
Organization Name [Alexlinux Ltd]:ENTER
Organizational Unit Name [Security]:ENTER
Common Name [Alexlinux Intermediate CA]:ENTER
Email Address [[email protected]]:ENTER
# CREATE CERTIFICATE FROM CSR openssl ca -config openssl.cnf -extensions v3_intermediate_ca -days 3650 \ -notext -md sha256 -in intermediate/csr/intermediate.csr \ -out intermediate/certs/intermediate.crt
Enter pass phrase for /data/ca/private/ca.key:123123
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Jan 6 18:36:56 2017 GMT
Not After : Jan 4 18:36:56 2027 GMT
Subject:
countryName = RU
stateOrProvinceName = Moscow
organizationName = Alexlinux Ltd
organizationalUnitName = Security
commonName = Alexlinux Intermediate CA
emailAddress = [email protected]
X509v3 extensions:
X509v3 Subject Key Identifier:
F6:A4:FA:89:0F:4F:AC:C0:C7:B9:75:E7:06:D1:2B:E6:6F:A7:5A:9B
X509v3 Authority Key Identifier:
keyid:96:97:C2:46:AB:BB:43:31:31:97:83:14:22:0E:08:CF:F8:96:07:69
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Certificate is to be certified until Jan 4 18:36:56 2027 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
chmod 444 intermediate/certs/intermediate.crt # CREATE CHAIN cat intermediate/certs/intermediate.crt certs/ca.crt \ > intermediate/certs/ca-chain.crt chmod 444 intermediate/certs/ca-chain.crt # GENERATE KEYS FOR WEB SERVER openssl genrsa -aes256 \ -out intermediate/private/www.alexlinux.com.key 2048
Enter pass phrase for intermediate/private/www.alexlinux.com.key:
123123
Verifying – Enter pass phrase for intermediate/private/www.alexlinux.com.key:
123123
chmod 400 intermediate/private/www.alexlinux.com.key wget http://store.alexlinux.com/configs/openssl/ownCA/openssl_web.cnf openssl req -config openssl_web.cnf \ -key intermediate/private/www.alexlinux.com.key -new -sha256 -out \ intermediate/csr/www.alexlinux.com.csr
Enter pass phrase for intermediate/private/www.alexlinux.com.key:
123123
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [RU]:ENTER
State or Province Name [Moscow]:ENTER
Locality Name [Moscow]:ENTER
Organization Name [Alexlinux Ltd]:ENTER
Organizational Unit Name [Security]:ENTER
Common Name [www.alexlinux.com]:ENTER
Email Address [[email protected]]:ENTER
# SIGN CERTIFICATE FOR WWW.ALEXLINUX.COM openssl ca -config openssl_web.cnf -extensions server_cert -days 375 \ -notext -md sha256 -in intermediate/csr/www.alexlinux.com.csr -out \ intermediate/certs/www.alexlinux.com.crt
Enter pass phrase for /data/ca/intermediate/private/intermediate.key:
123123
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Jan 6 18:43:44 2017 GMT
Not After : Jan 16 18:43:44 2018 GMT
Subject:
countryName = RU
stateOrProvinceName = Moscow
localityName = Moscow
organizationName = Alexlinux Ltd
organizationalUnitName = Security
commonName = www.alexlinux.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 CRL Distribution Points:
Full Name:
URI:http://ca.alexlinux.com/intermediate.crl
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Subject Key Identifier:
61:AE:55:0C:3C:68:50:47:8C:73:0B:F8:0E:09:3B:E2:0D:FD:33:6B
X509v3 Authority Key Identifier:
keyid:F6:A4:FA:89:0F:4F:AC:C0:C7:B9:75:E7:06:D1:2B:E6:6F:A7:5A:9B
DirName:/C=RU/ST=Moscow/L=Moscow/O=Alexlinux Ltd/CN=Alexlinux Root CA
serial:10:00
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
Certificate is to be certified until Jan 16 18:43:44 2018 GMT (375 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit?
[y/n]y
Write out database with 1 new entries
Data Base Updated
chmod 444 intermediate/certs/www.alexlinux.com.crt
in the next part of this tutorial I will show you how to install keys on nginx