PKI Certificate Tutorials - Herong's Tutorial Examples

∟"openssl ca" - CA (Certificate Authority) Tool

∟openssl.cnf - OpenSSL Configuration File

This section describes the 'openssl genpkey -algorithm RSA' command, which generates a RSA private/public key pair. It replaces the old 'openssl genrsa' command

OpenSSL configuration file, openssl.cnf, is required to run the "openssl ca" command. You need to remember the following basic guidelines to create your own openssl.cnf and use it to manage OpenSSL options.

1. The default version of openssl.cnf is located in the OPENSSLDIR directory set during installation. On most Linux systems, it is located at /etc/ssl/openssl.cnf.

2. You can use the "-config filename" option to specify your own version of openssl.cnf on "openssl" commands.

3. OpenSSL options and their values are organized into 3 types of sections.

• Default Section - Located at the beginning of the file.
• Pre-Defined Sections - Located after the default section with pre-defined section headers, like [req] and [ca].
• User-Defined Sections - Located after the default section with your own section headers, like [req_dn] and [ca_default].

4. Options provided in pre-defined or user-defined sections override options in the default section.

5. Options specified the command line override options in the openssl.cnf file.

6. Variables can be used with a leading "$" sign in the variable reference. For example:

# Referencing the "dir" option
dir     = ./demoCA     
certs   = $dir/certs

# Referencing an environment variable
RANDFILE   = $ENV::HOME/.rnd

# Referencing an option in another section
[req_dn]
emailAddress   = herong_yang@yahoo.com
....
[usr_cert]
subjectAltName = email:${req_dn::emailAddress} 

Here is a simple openssl.cnf with detailed comments:

#- openssl.cnf
#- #- Copyright (c) 2017 HerongYang.com. All Rights Reserved.

# Default section
default_md     = sha256         # default hash algorithm
default_days   = 365            # how long to certify for
email_in_dn    = no             # don't add the email into cert DN
policy         = ca_policy_default # default policy section

# Pre-defined section for the "openssl req" command
[req]
default_bits   = 2048   # size of key generated from "req" command 

# Pre-defined section for the "openssl ca" command
[ca]
default_ca     = ca_default    # default CA section

# "ca::default_ca" section
[ca_default]
dir           = ./demoCA       # where everything is kept
serial        = $dir/serial    # serial number file
database      = $dir/index.txt # database index file
new_certs_dir = $dir/certs     # new certs are kept
private_key   = $dir/key.pem   # CA private/public key file
certificate   = $dir/cert.pem  # CA certificate file

# "policy" section used by the "openssl ca" command
[ca_policy_default]
countryName            = supplied
stateOrProvinceName    = optional
organizationName       = optional
organizationalUnitName = optional
commonName             = supplied
emailAddress           = optional

For more information, run the "man config" command on a Linux system to read the manual.

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of PKI Certificate

 PKI Certificate File Formats

 OpenSSL - Cryptography Toolkit

►"openssl ca" - CA (Certificate Authority) Tool

 "openssl ca" - CA Signing Certificate

►openssl.cnf - OpenSSL Configuration File

 Use "openssl ca" as Root CA

 Add "keyUsage" into Root CA

 Use "openssl ca" as Intermediate CA

 Create Web Server Certificate

 OpenSSL CA Database Files

 "openssl.cnf" Example and Usages

 Java "keytool" Commands and KeyStore Files

 PKI Certificate Store

 PKCS12 Certificate Bundle File

 PKCS7 Certificate Chain File

 PKI Certificate Related Terminology

 References

 Full Version in PDF/EPUB

openssl.cnf - OpenSSL Configuration File - Updated in 2024, by Herong Yang