OpenSSL & Cygwin – Certificate Authority
I am using OpenSSL in conjunction with Cygwin on my Windows laptop to generate Certificate Signing Request and other SSL certificate related issues. Today I configured my own Certificate Authority, using the following guideline.
Preparations
First I created some directories, like shown below:
mkdir /home/sslCA
cd /home/sslCA
mkdir certs private newcerts
Next I created a serial file which will be used to name the new certificates generated and an index.txt file.
echo 1000 > serial
touch index.txt
Generating the CA
After setting up the appropriate directory, I generated the Certificate Authority, like shown below.
cd /home/sslCA
openssl.exe req –new –x509 –days 3650 –extensions v3_ca \
-keyout private/cakey.pem –out cacert.pem \
-config /usr/ssl/openssl.cnf
The command above generates the following output:
Generating a 1024 bit RSA private key
.++++++
…………………++++++
writing new private key to ‘private/cakey.pem’
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [NL]:
State or Province Name (full name) [Some-State]:Noord-Brabant
Locality Name (eg, city) []:Eindhoven
Organization Name (eg, company) [Internet Widgits Pty Ltd]:4IP BV
Organizational Unit Name (eg, section) []:IP Consultancy
Common Name (eg, YOUR name) []:4IP Root CA
Email Address []:
Now I have a running Certificate Authority, which is ready to signing new certificates.
Performing an SSL Request
I used the following command, with it’s output, to generate an SSL Certificate Signing Request.
cd /home/sslCA
openssl req –new –nodes \
-out cert-www-4ip-nl.pem \
-keyout private/priv-www-4ip-nl.pem \
-config /usr/ssl/openssl.cnf
Generating a 1024 bit RSA private key
………..++++++
….++++++
writing new private key to ‘private/priv-www-4ip-nl.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [NL]:NL
State or Province Name (full name) [Some-State]:Noord-Brabant
Locality Name (eg, city) []:Eindhoven
Organization Name (eg, company) [Internet Widgits Pty Ltd]:4IP BV
Organizational Unit Name (eg, section) []:IP Consultancy
Common Name (eg, YOUR name) []:www.4ip.nl
Email Address []:Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Signing CSR
The last step in the process is signing the CSR. I used the following command to sign the CSR.
openssl ca –config /usr/ssl/openssl.cnf \
-out sslcert-www-4ip-nl.pem \
-infiles cert-www-4ip-nl.pem
This command results in the following output:
Using configuration from /usr/ssl/openssl.cnf
Enter pass phrase for /home/sslCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0×1000)
Validity
Not Before: Sep 30 11:01:11 2009 GMT
Not After : Sep 28 11:01:11 2019 GMT
Subject:
countryName = NL
stateOrProvinceName = Noord-Brabant
organizationName = 4IP BV
organizationalUnitName = IP Consultancy
commonName = www.4ip.nl
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
37:6B:52:95:B6:2D:26:76:C1:CD:E9:3C:58:E5:89:B4:26:34:83:43
X509v3 Authority Key Identifier:
keyid:64:6A:E7:65:B0:96:F6:56:49:A2:4D:EA:7F:68:3F:18:D1:86:2B:0ECertificate is to be certified until Sep 28 11:01:11 2019 GMT (3650 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Now I have all the appropriate files:
- Certificate: /home/sslCA/sslcert-www-4ip-nl.pem
- Key: /home/sslCA/private/priv-www-4ip-nl.pem
Converting to PKCS#12
Windows environments normally use PKCS#12 files. The following command generates a PKCS#12 file with the user certificate, the private key and the CA certificate:
cd /home/sslCA
openssl pkcs12 –export –out www-4ip-nl.pfx \
-inkey private/priv-www-4ip-nl.pem \
-in sslcert-www-4ip-nl.pem \
-certfile cacert.pem
This commands generates the appropriate PFX file (www-4ip-nl.pfx) for specific Windows environments, like IIS. Other usefull commands to convert certificate formats can be found here.
