OpenSSL Certificate Authority

How to run your own internal certificate authority using OpenSSL. When using SSL/TLS security internally you may want to set up your own certificate authority. Whether this is for a VPN, Secure Email or HTTPS the certificate authority is setup in the same way. In fact anywhere you can control or have a relationship with both ends of the secured connection you can use your own authority. Why pay verisign to add trust to an already trusting relationship?
 
 
Set your defaults
To setup your preferences you need to edit openssl.cnf. To find out the location of your openssl config you can run "openssl version -d". The directory output by this command should contain an openssl.cnf file. Edit this file to set default options for your CA and certificates. The file is quite well commented so I wont go into detail here, but pay attention to the dir variable which is the basepath to your CA, you probably want to set it to something like /etc/CA. Also the [req_distinguished_name] section holds defaults used when you create a certificate. You should change this to reflect your Company and address, etc.
 
Genereate you Certificate Authority
To setup a certificate authority with a 2048 bit key you would use these commands:
 
    cd /etc/CA 
    mkdir private certs newcerts
    openssl genrsa -des3 -out /etc/CA/private/cakey.pem 2048 
    openssl req -new -x509 -days 1095 -key /etc/CA/private/cakey.pem -reqexts v3_ca -out /etc/CA/cacert.pem
    chmod 400 private/cakey.pem
    touch index.txt
    echo 00 > serial
 
This assumes you are using /etc/CA as your dir in openssl.cnf.  The first line moves to the /etc/CA directory and then we create some required sub-folders. On line three we create a 3DES encrypted key. The fourth line creates your X509 self signed certificate using the key created in line 3. We request that the certificate be a "Version 3 CA". The -days is the expiry, 1095 is 3 years.
Next we ensure the key is readable only by ourselves. We create the index.txt file which will keep track of all the certificates we issue and the serial file which holds the next available serial number. OpenSSL will update these when we issue certificates.
 
Thats it for setting up the CA. Now we can issue some certificates....
 
Generating a Certificate Signing Request (CSR)
You can create a private key and a signing request in one line with OpenSSL:
 
    openssl req -new -keyout <KEY> -out <CSR>
 
Where KEY is the name of key file to create and CSR is the name of the CSR file to create.
 
Issuing a certificate
Once you've created the CSR you sign it with your CA with the following: 
 
    openssl ca -in <CSR> -out <Cert>
 
Where CSR is the csr file you created in the previous command and Cert is the file you want OpenSSL to create containing your certificate.
 
Trusting the CA 
How you tell your application to trust your new CA varies by application, The important thing you need to remember is the application only needs to see the CA certificate NOT the CA key. NEVER give out the CA key. Nothing needs to see the CA key except OpenSSL! Keep it safe, because the security of all your certificates depend on it!