From a960a60ecd3f408a7ba98bb88e77d0b968b3b079 Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Sat, 5 Dec 2020 19:48:34 +0100 Subject: [PATCH] Improve example CA setup The example CA now has more realistic 2 levels with a root CA and a sub CA. Setup script and ca.cnf has been changed to create a root CA and a sub CA that is signed by the root CA. The sub CA is used for signing the end entity certificates. Example CA directory has been changed to example_ca for better readability. --- .gitignore | 2 +- ca.cnf | 94 +++++++++++++++++++++++++++++++++++++-------- setup_example_ca.sh | 42 ++++++++++++++++---- 3 files changed, 115 insertions(+), 23 deletions(-) diff --git a/.gitignore b/.gitignore index 68365cd..ab2625f 100644 --- a/.gitignore +++ b/.gitignore @@ -2,6 +2,6 @@ .*.swp /translate.*.toml /.idea/ -/exampleca/ +/example_ca/ /node_modules/ /public/ diff --git a/ca.cnf b/ca.cnf index 09c4e18..b302513 100644 --- a/ca.cnf +++ b/ca.cnf @@ -3,22 +3,54 @@ extensions = v3_ext [ca] default_ca = EXAMPLECA +[rootca] +dir = ./example_ca/root +certs = $dir/certs +crl_dir = $dir/crl +database = $dir/index.txt +serial = $dir/serial +new_certs_dir = $dir/newcerts + +crl = $dir/crl.pem +certificate = $dir/ca.crt.pem +private_key = $dir/private/ca.key.pem +RANDFILE = $dir/private/.rand + +policy = policy_any +unique_subject = no +email_in_dn = no +copy_extensions = none + +default_md = sha256 +default_days = 1825 +default_crl_days = 30 + [EXAMPLECA] -dir = ./exampleca -certs = $dir/certs -crl_dir = $dir/crl -database = $dir/index.txt -new_certs_dir = $dir/newcerts -serial = $dir/serial -crl = $dir/crl.pem -certificate = $dir/ca.crt.pem -serial = $dir/serial -crl = $dir/crl.pem -private_key = $dir/private/ca.key.pem -RANDFILE = $dir/private/.rand -unique_subject = no -email_in_dn = no -default_md = sha256 +dir = ./example_ca/sub +certs = $dir/certs +crl_dir = $dir/crl +database = $dir/index.txt +serial = $dir/serial +new_certs_dir = $dir/newcerts + +crl = $dir/crl.pem +certificate = $dir/ca.crt.pem +private_key = $dir/private/ca.key.pem +RANDFILE = $dir/private/.rand +unique_subject = no +email_in_dn = no + +default_md = sha256 +default_days = 365 +default_crl_days = 30 + +[policy_any] +countryName = match +stateOrProvinceName = optional +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional [policy_match] commonName = supplied @@ -29,3 +61,35 @@ keyUsage = keyEncipherment,digitalSignature,nonRepudiation extendedKeyUsage = clientAuth,emailProtection subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always + +[req] +default_bits = 3072 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = root_ca + +[req_distinguished_name] +countryName = Country Name (2 letter code) +countryName_default = CH +countryName_min = 2 +countryName_max = 2 + +localityName = Locality Name (eg, city) + +organizationName = Organization Name (eg, company) +organizationalUnitName = Organizational Unit Name (eg, section) + +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_max = 64 + +[req_attributes] + +[root_ca] +basicConstraints = critical,CA:true,pathlen:1 +subjectKeyIdentifier = hash + +[sub_ca] +basicConstraints = critical,CA:true,pathlen:0 +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always \ No newline at end of file diff --git a/setup_example_ca.sh b/setup_example_ca.sh index 2d7da67..7b11bc1 100755 --- a/setup_example_ca.sh +++ b/setup_example_ca.sh @@ -1,11 +1,39 @@ #!/bin/sh -if [ ! -d "exampleca" ]; then - mkdir -p exampleca/newcerts - touch exampleca/index.txt +set -eu + +COUNTRY_CODE=CH +ORGANIZATION="Acme Ltd." + +if [ ! -d "example_ca" ]; then + mkdir -p example_ca/root/newcerts example_ca/sub/newcerts + touch example_ca/root/index.txt example_ca/sub/index.txt umask 077 - mkdir exampleca/private - openssl req -new -x509 -keyout exampleca/private/ca.key.pem -out exampleca/ca.crt.pem -days 3650 \ - -subj "/CN=Example CA" -nodes -newkey rsa:3072 -addext "basicConstraints=critical,CA:true,pathlen:0" - chmod +r exampleca/ca.crt.pem + mkdir example_ca/root/private example_ca/sub/private + openssl req -new -x509 \ + -config ca.cnf \ + -keyout example_ca/root/private/ca.key.pem \ + -newkey rsa:3072 \ + -nodes \ + -subj "/CN=Example Root CA/C=${COUNTRY_CODE}/O=${ORGANIZATION}" \ + -utf8 \ + -days 3650 \ + -out example_ca/root/ca.crt.pem + chmod +r example_ca/root/ca.crt.pem + openssl req -new \ + -config ca.cnf \ + -keyout example_ca/sub/private/ca.key.pem \ + -newkey rsa:3072 \ + -nodes \ + -subj "/CN=Example Sub CA/C=${COUNTRY_CODE}/O=${ORGANIZATION}" \ + -utf8 \ + -out example_ca/sub/ca.csr.pem + openssl ca \ + -config ca.cnf \ + -name rootca \ + -in example_ca/sub/ca.csr.pem \ + -extensions sub_ca \ + -out example_ca/sub/ca.crt.pem \ + -create_serial \ + -batch fi \ No newline at end of file