Add "keyUsage" into Root CA

PKI Certificate Tutorials - Herong's Tutorial Examples

∟"openssl ca" - CA (Certificate Authority) Tool

∟Add "keyUsage" into Root CA

This section provides a tutorial example on how to add 'keyUsage' and other X509v3 extensions to a self-signed root CA certificate.

In the last tutorial, we used the "openssl req" command to generate a self-signed root CA certificate with default settings. In this tutorial, we will use the "req" section in openssl.cnf to add the "keyUsage" and other x509v3 extensions.

1. Define a new section for "req::x509_extensions" in openssl.cnf to add "basicConstraints" and "keyUsage" as x509v3 extensions.

#- openssl.cnf
#- #- Copyright (c) 2017 HerongYang.com. All Rights Reserved.

# Default section
...

# Pre-defined section for the "openssl req" command
[req]
default_bits    = 2048   # size of key generated from "req" command 
distinguished_name  = req_dn   # distinguished name section
x509_extensions = req_x509_root # x509 section for root CA

# "req::distinguished_name" section for Subject input
[req_dn]
# Subject input prompts
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address

countryName_default             = ZZ         # input default
commonName_default              = ZZ Root CA # input default

# "req::x509_extensions" section for self-signed root certificate 
[req_x509_root]
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

...

2. Generate a self-signed certificate for the root CA using the above openssl.cnf.

herong$ openssl req -new -x509 -config openssl.cnf -days 7300 \
  -out root/cert.pem -key root/key.pem -passin pass:TopSecret

You are about to be asked to enter information that will be 
incorporated into your certificate request.

-----
Country Name (2 letter code) [ZZ]:
State or Province Name []:
Locality Name []:
Organization Name []:
Organizational Unit Name []:
Common Name [ZZ Root CA]:
Email Address []:

3. Look at the new root CA certificate. "X509v3 Basic Constraints" and "X509v3 Key Usage" extensions are added.

herong$ openssl x509 -in root/cert.pem -text -noout

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            89:9f:80:33:30:0d:3a:e2
        Signature Algorithm: ecdsa-with-SHA1
        Issuer: C=ZZ, CN=ZZ Root CA
        Validity
            Not Before: Nov 20 13:32:16 2024 GMT
            Not After : Nov 15 13:32:16 2044 GMT
        Subject: C=ZZ, CN=ZZ Root CA
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
            EC Public Key:
                pub: 
                    04:a0:ff:77:be:49:92:2c:31:7e:f8:92:bf:4a:80:
                    81:2b:81:a3:9e:53:65:67:80:60:f2:b4:a7:45:29:
                    ...
                    2b:9c:ca:ed:29:d9:68
                ASN1 OID: secp384r1
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
    ...