create a root certification authority with openssl
** NOTE : to use the elliptic curve ED25519 algorithm (this might cause you problem if you intend to use certificate authentication in the browser) you will need to use the openssl genpkey instead of genrsa with the extra following flags:
- -algorithm ED25519
- -pass stdin
- -aes-256-cbc
create and enter the directory structure
create the certification authority
create an extension file named "x509v3.cnf" that will be use to pass extra parameters to the certificate via environment variables
create a client certificate
#set environment variables
export CERTFQDN=subdomain.example.com
export OCSP=http://ocsp.example.com
#generate client key
openssl genrsa -out USERS/client1.key 4096
#generate client csr
openssl req -sha256 -new -key USERS/client1.key -out USERS/client1.csr
#create the client cert (and sign it with the CA) && create a serial file for the CA to increment the serial number (file CA/ca.srl will be automatically created)
openssl x509 -req -in USERS/client1.csr -CA CA/ca.pem -CAkey CA/ca.key -CAcreateserial -out USERS/client1.pem -days 825 -extfile x509v3.cnf -extensions x509v3_extras
#(optional step) extract the pubkey from the cert (can be use for ipsec vpn pub key auth)
openssl x509 -in USERS/client1.pem -noout -pubkey > USERS/client1.pub
#(optional step) create a bundle(key+cert) and export to pks12 format (can be used for S/MIME signing & encryption in thunderbird)
cat USERS/client1.key USERS/client1.pem > USERS/client1.bundle
openssl pkcs12 -export -in USERS/client1.bundle -out USERS/client1.p12
automating the process with a bash script
the only difference on the subsequent run is that we will use the -CAserial [path/file] instead of the -CAcreateserial command
create the script "create_certs.sh" in the PKI folder :
#!/bin/bash
read -p "enter certificate file name: " CERTNAME
read -p "enter certificate subjectAltName x509v3 extension: " CERTFQDN
read -p "enter authorityInfoAccess (OCSP) x509v3 extension: " OCSP
openssl genrsa -out USERS/${CERTNAME}.key 4096
openssl req -sha256 -new -key USERS/${CERTNAME}.key -out USERS/${CERTNAME}.csr
openssl x509 -req -in USERS/${CERTNAME}.csr -CA CA/ca.pem -CAkey CA/ca.key -CAserial CA/ca.srl -out USERS/${CERTNAME}.pem -days 825 -extfile x509v3.cnf -extensions x509v3_extras
openssl x509 -in USERS/${CERTNAME}.pem -noout -pubkey > USERS/client1.pub
cat USERS/${CERTNAME}.pem USERS/${CERTNAME}.key > USERS/${CERTNAME}.bundle
openssl pkcs12 -export -in USERS/${CERTNAME}.bundle -out USERS/${CERTNAME}.p12
make the script executable and run it
create an "openssl.cnf" file with the needed parameters
[ ca ]
default_ca = CA_default
[CA_default]
database = CA/index.txt
default_md = default
basicConstraints = CA:FALSE
[ v3_OCSP ]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = OCSPSigning
validate a certificate: (requires a restart from the above server)
revoke a certificate: (requires a restart from the above server)
verify the status of a certificate with openssl ocsp command