PKI Certificate Tutorials - Herong's Tutorial Examples - v1.11, by Herong Yang
Use "openssl ca" as Root CA
This section provides a tutorial example on how to use the 'openssl ca' command as a root CA to sign a CSR (Certificate Signing Request) into a certificate using a given section in openssl.cnf.
If you want to use the "openssl ca" command as a root CA, you can follow this tutorial.
1. Prepare directories and files required by the root CA.
# Create the base directory for the root CA herong$ mkdir root # Create the sub-directory for newly signed certificates herong$ mkdir root/certs # Create an empty database index file herong$ touch root/index.txt # Initialize a serial number file herong$ echo 1000 > root/serial
2. Add a "ca_root" section in the openssl.cnf file for the "openssl ca -name ca_root" command to invoke.
herong$ vi openssl.cnf #- openssl.cnf #- #- Copyright (c) 2017 HerongYang.com. All Rights Reserved. # Default section default_md = sha256 # default hash algorithm default_days = 365 # how long to certify for email_in_dn = no # don't add the email into cert DN policy = ca_policy_default # default policy section ... # Section to be invoked by "-name" option of "openssl ca" [ca_root] dir = ./root # where everything is kept serial = $dir/serial # serial number file database = $dir/index.txt # database index file new_certs_dir = $dir/certs # new certs are kept private_key = $dir/key.pem # CA private/public key file certificate = $dir/cert.pem # CA certificate file # Section for "policy" used by the "openssl ca" command [ca_policy_default] countryName = supplied stateOrProvinceName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional
3. Generate a private/public key pair for the root CA.
herong$ openssl genpkey -algorithm EC -out root/key.pem \ -pkeyopt ec_paramgen_curve:secp384r1 \ -aes-128-cbc -pass pass:TopSecret # For older OpenSSL releases, do this in 2 steps herong$ openssl ecparam -genkey -name secp384r1 -noout \ -out root/key.pem herong$ openssl ec -in root/key.pem -out root/key.pem \ -aes128 -passout pass:TopSecret
3. Generate a self-signed certificate for the root CA.
herong$ openssl req -new -x509 -out root/cert.pem \ -key root/key.pem -passin pass:TopSecret You are about to be asked to enter information that will be incorporated into your certificate request. ----- Country Name (2 letter code) [AU]:ZZ State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]:. Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:ZZ Root CA Email Address []:
4. Look at the root CA certificate.
herong$ openssl x509 -in root/cert.pem -noout \
-subject -issuer -ext basicConstraints
subject=C = ZZ, CN = ZZ Root CA
issuer=C = ZZ, CN = ZZ Root CA
X509v3 Basic Constraints: critical
CA:TRUE
5. Check the CSR received. If needed, create one.
herong$ mkdir herong herong$ openssl req -new -out herong/hy-csr.pem \ -newkey ec -pkeyopt ec_paramgen_curve:P-384 \ -keyout herong/key.pem -passout pass:TopSecret Generating an EC private key writing new private key to 'herong/key.pem' ----- Country Name (2 letter code) [AU]:ZZ State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []:My City Organization Name (eg, company) [Internet Widgits Pty Ltd]:. Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:Herong Yang Email Address []: # For older OpenSSL releases, do this in 3 steps openssl ecparam -genkey -name secp384r1 -noout \ -out herong/key.pem openssl ec -in herong/key.pem -out herong/key.pem \ -aes128 -passout pass:TopSecret openssl req -new -out herong/hy-csr.pem \ -key herong/key.pem -passin pass:TopSecret
6. Sign the CSR as the root CA using "ca_root" section in openssl.cnf.
herong$ openssl ca -config openssl.cnf -name ca_root \ -key TopSecret -in herong/hy-csr.pem -out herong/hy-cert.pem Using configuration from openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'ZZ' localityName :ASN.1 12:'My City' commonName :ASN.1 12:'Herong Yang' Certificate is to be certified until Nov 20 01:48:32 2025 GMT Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
7. Look at the signed certificate.
herong$ openssl x509 -in herong/hy-cert.pem -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 4096 (0x1000)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = ZZ, CN = ZZ Root CA
Validity
Not Before: Nov 20 01:48:32 2024 GMT
Not After : Nov 20 01:48:32 2025 GMT
Subject: C = ZZ, CN = Herong Yang
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:89:74:4d:52:9b:30:07:10:ef:31:b4:ec:d9:c0:
36:33:f3:f1:5c:d1:15:0d:40:61:8e:d4:5b:9e:c5:
...
c6:79:87:9f:5a:95:e9
ASN1 OID: secp384r1
NIST CURVE: P-384
Signature Algorithm: ecdsa-with-SHA256
30:65:02:30:4b:72:a2:a3:42:26:e7:b0:94:b9:3f:6c:80:83:
32:86:15:12:7f:f3:9a:bf:1e:5e:42:27:d5:43:87:1c:32:4b:
...
44:26:03:fc:59:e0:e1:04:5d:38:5e:bf:d4
Cool! I have successfully signed a CSR as a root CA.
If you want find out what files are generated or updated the "openssl ca" command, run "tree root" command.
herong$ tree root root |-- cert.pem # the root CA certificate file |-- certs | |-- 1000.pem # carbon copy of the new certificate |-- index.txt # the database file tracking new certificates |-- index.txt.attr # attributes (options) used |-- index.txt.old # backup of index.txt |-- key.pem # the root CA key file |-- serial # serial number file updated to 1001 |-- serial.old # backup of the serial number file with 1000
See next tutorials on how to sign certificates with additional x509v3 extensions for different types of PKI applications.
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of PKI Certificate
OpenSSL - Cryptography Toolkit
►"openssl ca" - CA (Certificate Authority) Tool
"openssl ca" - CA Signing Certificate
openssl.cnf - OpenSSL Configuration File
Use "openssl ca" as Intermediate CA
"openssl.cnf" Example and Usages
Java "keytool" Commands and KeyStore Files
PKCS12 Certificate Bundle File