PKI Certificate Tutorials - Herong's Tutorial Examples

∟"openssl ca" - CA (Certificate Authority) Tool

∟OpenSSL CA Database Files

This section describes OpenSSL CA database files, including the primary database file 'index.txt' and the serial number file 'serial'.

After signing some certificates as an intermediate CA, let's take closer look at its database files:

1. List all CA files.

herong$ tree intermediate

intermediate
|-- cert.pem            # the CA certificate file
|-- certs
|   |-- 1000.pem        # carbon copy of the 1st certificate
|   |-- 1001.pem        # carbon copy of the 2nd certificate
|   |-- 1002.pem        # carbon copy of the 3rd certificate
|-- csr.pem             # the CA CSR file
|-- index.txt           # the database file tracking new certificates
|-- index.txt.attr      # attributes (options) used
|-- index.txt.attr.old  # backup of index.txt.attr file
|-- index.txt.old       # backup of index.txt file
|-- key.pem             # the CA key file
|-- serial              # serial number file holding the next number
|-- serial.old          # backup of serial file

2. Look at the primary database file, index.txt.

herong$ more intermediate/index.txt

V	251120150245Z		1000	unknown	/C=ZZ/CN=Herong Yang
V	251121030239Z		1001	unknown	/C=ZZ/CN=herongyang.com
V	251121034105Z		1002	unknown	/C=ZZ/CN=herongyang.com
- ------------- - ----  ------- ------------------------
| |             | |     |       subject name 
| |             | |     file name
| |             | serial #
| |             revokation timestamp 
| expiration timestamp 
status: V=Valid

3. Look at the index.txt.attr file. "unique_subject = no" means that duplicate subjects are allows. You can change it to "unique_subject = yes" to dis-allow.

herong$ more intermediate/index.txt.attr

unique_subject = no

4. Look at the serial file. It holds the serial number to be used for the next new certificate.

herong$ more intermediate/serial

1003

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of PKI Certificate

 PKI Certificate File Formats

 OpenSSL - Cryptography Toolkit

►"openssl ca" - CA (Certificate Authority) Tool

 "openssl ca" - CA Signing Certificate

 openssl.cnf - OpenSSL Configuration File

 Use "openssl ca" as Root CA

 Add "keyUsage" into Root CA

 Use "openssl ca" as Intermediate CA

 Create Web Server Certificate

►OpenSSL CA Database Files

 "openssl.cnf" Example and Usages

 Java "keytool" Commands and KeyStore Files

 PKI Certificate Store

 PKCS12 Certificate Bundle File

 PKCS7 Certificate Chain File

 PKI Certificate Related Terminology

 References

 Full Version in PDF/EPUB

OpenSSL CA Database Files - Updated in 2024, by Herong Yang