31.1 Generating a New CA

If you do not have a CA certificate, you can generate a new CA certificate as follows:

NOTE:When you are generating a new certificate, ensure that the validity is more than 365 days by specifying appropriate value.

  1. Create a directory and configure the directory permissions:

    mkdir /root/ca

    cd /root/ca

    mkdir certs crl newcerts private

    chmod 700 private

    touch index.txt

    echo 1000 > serial

  2. Open the configuration file in a text editor (vi /root/ca/openssl.cnf), and add thefollowing content (values shown are examples; change parameter values to match yours):

    # OpenSSL root CA configuration file.
    # Copy to `/root/ca/openssl.cnf`.
    [ ca ]
    default_ca = CA_default
    [ CA_default ]
    # Directory and file locations.
    dir = /root/ca
    certs = $dir/certs
    crl_dir = $dir/crl
    new_certs_dir = $dir/newcerts
    database = $dir/index.txt
    serial = $dir/serial
    RANDFILE = $dir/private/.rand
    # The root key and root certificate.
    private_key = $dir/private/ca.key.pem
    certificate = $dir/certs/ca.cert.pem
    # For certificate revocation lists.
    crlnumber = $dir/crlnumber
    crl = $dir/crl/ca.crl.pem
    crl_extensions = crl_ext
    default_crl_days = 30
    # SHA-1 is deprecated, so use SHA-2 instead.
    default_md = sha256
    name_opt = ca_default
    cert_opt = ca_default
    default_days = 375
    preserve = no
    policy = policy_strict
    [ policy_strict ]
    # The root CA should only sign intermediate certificates that match.
    # See the POLICY FORMAT section of `man ca`.
    countryName = match
    stateOrProvinceName = match
    organizationName = match
    organizationalUnitName = optional
    commonName = supplied
    emailAddress = optional
    [ policy_loose ]
    # Allow the intermediate CA to sign a more diverse range of certificates.
    # See the POLICY FORMAT section of the `ca` man page.
    countryName = optional
    stateOrProvinceName = optional
    localityName = optional
    organizationName = optional
    organizationalUnitName = optional
    commonName = supplied
    emailAddress = optional
    [ req ]
    # Options for the `req` tool (`man req`).
    default_bits = 2048
    distinguished_name = req_distinguished_name
    string_mask = utf8only
    # SHA-1 is deprecated, so use SHA-2 instead.
    default_md = sha256
    # Extension to add when the -x509 option is used.
    x509_extensions = v3_ca
    [ req_distinguished_name ]
    countryName = Country
    stateOrProvinceName = State
    localityName = Locality
    0.organizationName = EntCorp
    organizationalUnitName = OrgName
    commonName = Common Name
    emailAddress = Email Address
    # Optionally, specify some defaults.
    countryName_default = <your country code>
    stateOrProvinceName_default = <your state or province>
    localityName_default =
    0.organizationName_default = <your company name>
    organizationalUnitName_default =
    emailAddress_default =
    [ v3_ca ]
    # Extensions for a typical CA (`man x509v3_config`).
    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid:always,issuer
    basicConstraints = critical, CA:true
    keyUsage = critical, digitalSignature, cRLSign, keyCertSign
    [ v3_intermediate_ca ]
    # Extensions for a typical intermediate CA (`man x509v3_config`).
    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid:always,issuer
    basicConstraints = critical, CA:true, pathlen:0
    keyUsage = critical, digitalSignature, cRLSign, keyCertSign
    [ usr_cert ]
    # Extensions for client certificates (`man x509v3_config`).
    basicConstraints = CA:FALSE
    nsCertType = client, email
    nsComment = "OpenSSL Generated Client Certificate"
    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid,issuer
    keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
    extendedKeyUsage = clientAuth, emailProtection
    [ server_cert ]
    # Extensions for server certificates (`man x509v3_config`).
    basicConstraints = CA:FALSE
    nsCertType = server
    nsComment = "OpenSSL Generated Server Certificate"
    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid,issuer:always
    keyUsage = critical, digitalSignature, keyEncipherment
    extendedKeyUsage = serverAuth
    [ crl_ext ]
    # Extension for CRLs (`man x509v3_config`).
    authorityKeyIdentifier=keyid:always
    [ ocsp ]
    # Extension for OCSP signing certificates (`man ocsp`).
    basicConstraints = CA:FALSE
    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid,issuer
    keyUsage = critical, digitalSignature
    extendedKeyUsage = critical, OCSPSigning
  3. Generate a CA root key:

    openssl genrsa -out private/ca.key.pem 4096

    chmod 400 private/ca.key.pem

  4. Create a CA cert:

    openssl req -config openssl.cnf -key private/ca.key.pem -new -x509 -days 375 -sha256 -extensions v3_ca -out certs/ca.cert.pem

  5. Verify the root CA:

    chmod 444 certs/ca.cert.pem

    openssl x509 -noout -text -in certs/ca.cert.pem