Creating our own Certificate Authority (CA)

Download openssl software and install it in your system. Add the bin directory of openssl installation to you system environment variable path. Now openssl command can be accessed from anywhere in the system folder.

Create the CA directory hierarchy

Create a new directory X509CA, to hold the new CA. This directory is used to hold all of the files associated with the CA.

Under the X509CA directory, create the following hierarchy of directories:

X509CA/ca

X509CA/certs

X509CA/newcerts

X509CA/crl

Create openssl.cnf file in X509CA directory.

Copy following content to openssl.cnf file

#

# SSLeay example properties file.

# This is mostly being used for generation of certificate requests.

#

RANDFILE        = .rnd

####################################################################

[ ca ]

default_ca    = CA_default        # The default ca section

####################################################################

[ CA_default ]

dir        = D:\\testssl\\X509CA    # Where everything is kept

certs      = $dir/certs  # Where issued certs are kept

crl_dir    = $dir/crl          # Where the issued crl are kept

database   = $dir/index.txt    # Database index file

new_certs_dir = $dir/newcerts  # Default place for new certs

   

certificate   = $dir/ca/new_ca.pem # The CA certificate

serial        = $dir/serial        # The current serial number

crl           = $dir/crl.pem       # The current CRL

private_key   = $dir/ca/new_ca_pk.pem  # The private key

RANDFILE      = $dir/ca/.rand

x509_extensions    = x509v3_extensions    # The extentions to add to the cert

default_days        = 365            # how long to certify for

default_crl_days    = 30            # how long before next CRL

default_md        = md5            # which md to use.

preserve        = no            # keep passed DN ordering

# A few difference way of specifying how similar the request should look

# For type CA, the listed attributes must be the same, and the optional

# and supplied fields are just that :-)

policy        = policy_match

# For the CA policy

[ policy_match ]

countryName            = match

stateOrProvinceName        = match

organizationName        = match

organizationalUnitName    = optional

commonName            = supplied

emailAddress            = optional

# For the ’anything’ policy

# At this point in time, you must list all acceptable ’object’

# types.

[ policy_anything ]

countryName        = optional

stateOrProvinceName    = optional

localityName        = optional

organizationName    = optional

organizationalUnitName    = optional

commonName            = supplied

emailAddress            = optional

####################################################################

[ req ]

default_bits        = 1024

default_keyfile     = privkey.pem

distinguished_name    = req_distinguished_name

attributes        = req_attributes

[ req_distinguished_name ]

countryName            = Country Name (2 letter code)

countryName_min        = 2

countryName_max        = 2

stateOrProvinceName        = State or Province Name (full name)

localityName            = Locality Name (eg, city)

0.organizationName        = Organization Name (eg, company)

organizationalUnitName    = Organizational Unit Name (eg, section)

commonName            = Common Name (eg, your website’s domain name)

commonName_max        = 64

emailAddress            = Email Address

emailAddress_max        = 40

[ req_attributes ]

challengePassword        = A challenge password

challengePassword_min    = 4

challengePassword_max    = 20

[ x509v3_extensions ]

Now open command and change directory to X509CA

In the X509CA directory, initialize two files, serial and index.txt

To initialize the serial file in Windows, enter the following command:

> echo 01 > serial

To create an empty file, index.txt, in Windows start Windows Notepad at the command line in the X509CA directory, as follows:

> notepad index.txt

In response to the dialog box with the text, Cannot find the text.txt file. Do you want to create a new file? Click Yes, and

Close Notepad.

These files are used by the CA to maintain its database of certificate files.

Note that the index.txt file must initially be completely empty, not even containing white space.

Create a self-signed CA certificate and private key

Create a new self-signed CA certificate and private key with the following Command:

openssl req -x509 -new -config X509CA/openssl.cnf -days 365 -out X509CA/ca/new_ca.pem -keyout X509CA/ca/new_ca_pk.pem

The command prompts you for a pass phrase for the CA private key and details of the CA distinguished name.

We have entered pass phrase as:

welcometossl

Other details entered are as follows:

Country Name (2 letter code) []:IN

State or Province Name (full name) []:Maharashtra

Locality Name (eg, city) []:Pune

Organization Name (eg, company) []:SSPL

Organizational Unit Name (eg, section) []:SSPL OU

Common Name (eg, your websiteÆs domain name) []:sspl.com

Email Address []:sspl@sspl.com

You must ensure that the file names and location of the CA certificate and private key, new_ca.pem and new_ca_pk.pem, are the same as the values specified in openssl.cnf (see the preceding step).

You are now ready to sign certificates with your CA.