Image by David Krüger from Pixabay

OpenSSL Root Certificate Authority

Update — 2021–7–28

  • OpenBSD 6.6 GENERIC
  • LibreSSL 3.0.2

Root Certificate Authority Configuration

  1. Approve Subordinate CA — used for multi-tier certificate infrastructures.
  2. Distribute Certificates — common in small networks where the root CA also distributes certificates.
              Desired Root CA Certificate Properties 
Algorithm: secp521r1
CRL Published Interval: 90 days
Signature Hash Algorithm: SHA512
Specific "Valid from": January 1 00:00:00 1970 GMT
Specific "Valid to": December 31 23:59:59 9999 GMT
AIA and CRL locations: pki.domain.com
Online Certificate Status Protocol (OCSP): Not used
basicConstraints: critical,CA:true,pathlen:1

secp521r1

90 day CRL

Validity Dates

AIA and CRL

application/pkix-crl                .crl
application/x-x509-ca-cert .crt .der

No OCSP

basicConstraints

Create Folder Structure

Create Root CA OpenSSL Configuration File

Create Private Key

openssl ecparam -genkey \
-name secp521r1 | openssl ec \
-aes256 -out $BASEPATH/$CANAME/private/$CANAME.key \
-passout file:$BASEPATH/$CANAME/private/passphrase

Create Certificate Signing Request (CSR)

openssl req -config $BASEPATH/$CANAME/$CANAME.cnf \
-new -extensions ca_ext \
-key $BASEPATH/$CANAME/private/$CANAME.key \
-out $BASEPATH/$CANAME/$CANAME.csr \
-passin file:$BASEPATH/$CANAME/private/passphrase

Approve CSR

openssl ca -config $BASEPATH/$CANAME/$CANAME.cnf -selfsign \
-keyfile $BASEPATH/$CANAME/private/$CANAME.key \
-startdate 19700101000000Z \
-enddate 99991231235959Z \
-out $BASEPATH/$CANAME/certs/$CANAME.crt \
-in $BASEPATH/$CANAME/$CANAME.csr \
-extensions ca_ext \
-passin file:$BASEPATH/$CANAME/private/passphrase

Generate CRL

openssl ca -gencrl -config $BASEPATH/$CANAME/$CANAME.cnf \
-out $BASEPATH/$CANAME/$CANAME.crl \
-passin file:$BASEPATH/$CANAME/private/passphrase

Publish Certificate

Publish CRL

/bin/sh /var/CA/RootCA-crl-update.sh

Fix Permissions

CANAME="RootCA"
BASEPATH="/var/CA"

chmod 700 $BASEPATH
chmod 700 $BASEPATH/$CANAME-crl-update.sh
chmod -R 700 $BASEPATH/$CANAME
find $BASEPATH/$CANAME -type f -print0 | xargs -0 chmod 600
chmod 400 $BASEPATH/$CANAME/private/*

Test

Download Files

ftp -o RootCA.crl http://pki.domain.com/RootCA.crl
ftp -o RootCA.crt http://pki.domain.com/RootCA.crt

View Files

openssl x509 -text -noout -in RootCA.crt
openssl crl -text -noout -in RootCA.crl

Test cron Script

 by the author.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store