PKI Certificate Tutorials - Herong's Tutorial Examples

∟"openssl ca" - CA (Certificate Authority) Tool

∟"openssl.cnf" Example and Usages

This section describes OpenSSL CA database files, including the primary database file 'index.txt' and the serial number file 'serial'.

Here is the full version of the OpenSSL configuration file, "openssl.cnf", used in previous tutorials.

#- openssl.cnf
#- #- Copyright (c) 2017 HerongYang.com. All Rights Reserved.

# Default section
default_md     = sha256        # default hash algorithm
default_days   = 365           # how long to certify for
email_in_dn    = no            # don't add the email into cert DN
unique_subject = no            # allow duplicate subjects
policy         = ca_policy_default # default policy section
copy_extensions = copy # copy x509 extensions from CSR to certificate

# Pre-defined section for the "openssl req" command
[req]
default_bits    = 2048 # size of key generated from "req" command 
distinguished_name  = req_dn    # distinguished name section
x509_extensions = req_x509_root # x509 section for root CA

# "req::distinguished_name" section for Subject input
[req_dn]
# Subject input prompts
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address

countryName_default             = ZZ         # input default
commonName_default              = ZZ Root CA # input default

# "req::x509_extensions" section for self-signed root certificate 
[req_x509_root]
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

# Pre-defined section for the "openssl ca" command
[ca]
default_ca     = ca_default    # default CA section

# "ca::default_ca" section
[ca_default]
dir            = ./demoCA       # where everything is kept
serial         = $dir/serial    # serial number file
database       = $dir/index.txt # database index file
new_certs_dir  = $dir/certs     # new certs are kept
private_key    = $dir/key.pem   # CA private/public key file
certificate    = $dir/cert.pem  # CA certificate file

# "-name" section of "openssl ca" for root CA
[ca_root]
dir            = ./root         # where everything is kept
serial         = $dir/serial    # serial number file
database       = $dir/index.txt # database index file
new_certs_dir  = $dir/certs     # new certs are kept
private_key    = $dir/key.pem   # CA private/public key file
certificate    = $dir/cert.pem  # CA certificate file

# "-name" section of "openssl ca" for intermediate CA
[ca_intermediate]
dir            = ./intermediate # where everything is kept
serial         = $dir/serial    # serial number file
database       = $dir/index.txt # database index file
new_certs_dir  = $dir/certs     # new certs are kept
private_key    = $dir/key.pem   # CA private/public key file
certificate    = $dir/cert.pem  # CA certificate file

# "-extensions" section for "openssl ca" to sign intermediate CA
[ca_extensions_intermediate]
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

# "-extensions" section for "openssl ca" to sign server CA
[ca_extensions_server]
basicConstraints = CA:FALSE
nsCertType = server
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

# "policy" section used by the "openssl ca" command
[ca_policy_default]
countryName            = supplied
stateOrProvinceName    = optional
organizationName       = optional
organizationalUnitName = optional
commonName             = supplied
emailAddress           = optional

Here are "openssl" command examples to use this configuration file.

1. Apply the "req" section to generate a self-signed root CA certificate.

herong$ openssl req -new -x509 -config openssl.cnf -days 7300 \
  -out root/cert.pem -key root/key.pem -passin pass:TopSecret

2. Apply the "ca_root" section to sign a CSR as a root CA.

herong$ openssl ca -config openssl.cnf -name ca_root \
  -key TopSecret -in herong/hy-csr.pem -out herong/hy-cert.pem

3. Apply the "ca_intermediate" section to sign a CSR as an intermediate CA.

herong$ openssl ca -config openssl.cnf -name ca_root \
  -key TopSecret -in herong/hy-csr.pem -out herong/hy-cert.pem

4. Apply the "ca_extensions_intermediate" section to add x509v3 extensions to an intermediate CA certificate.

herong$ openssl ca -config openssl.cnf -name ca_root -key TopSecret \
  -in intermediate/csr.pem -out intermediate/cert.pem \
  -extensions ca_extensions_intermediate

5. Apply the "ca_extensions_server" section to add x509v3 extensions to a Web server certificate.

herong$ openssl ca -config openssl.cnf -name ca_intermediate \
  -in herong/web-csr.pem -out herong/web-cert.pem \
  -key TopSecret -extensions ca_extensions_server

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of PKI Certificate

 PKI Certificate File Formats

 OpenSSL - Cryptography Toolkit

►"openssl ca" - CA (Certificate Authority) Tool

 "openssl ca" - CA Signing Certificate

 openssl.cnf - OpenSSL Configuration File

 Use "openssl ca" as Root CA

 Add "keyUsage" into Root CA

 Use "openssl ca" as Intermediate CA

 Create Web Server Certificate

 OpenSSL CA Database Files

►"openssl.cnf" Example and Usages

 Java "keytool" Commands and KeyStore Files

 PKI Certificate Store

 PKCS12 Certificate Bundle File

 PKCS7 Certificate Chain File

 PKI Certificate Related Terminology

 References

 Full Version in PDF/EPUB

"openssl.cnf" Example and Usages - Updated in 2024, by Herong Yang