OpenSSL command line Root and Intermediate CA including OCSP, CRL and revocation

These are quick and dirty notes on generating a certificate authority (CA), intermediate certificate authorities and end certificates using OpenSSL. It includes OCSP, CRL and CA Issuer information and specific issue and expiry dates.

We’ll set up our own root CA. We’ll use the root CA to generate an example intermediate CA. We’ll use the intermediate CA to sign end user certificates.

Root CA

Create and move in to a folder for the root ca:

mkdir ~/SSLCA/root/
cd ~/SSLCA/root/

Generate a 8192-bit long SHA-256 RSA key for our root CA:

openssl genrsa -aes256 -out rootca.key 8192

Example output:

Generating RSA private key, 8192 bit long modulus
.........++
....................................................................................................................++
e is 65537 (0x10001)

If you want to password-protect this key, add the option -aes256.

Create the self-signed root CA certificate ca.crt; you’ll need to provide an identity for your root CA:

openssl req -sha256 -new -x509 -days 1826 -key rootca.key -out rootca.crt

Example output:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Zuid Holland
Locality Name (eg, city) []:Rotterdam
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Sparkling Network
Organizational Unit Name (eg, section) []:Sparkling CA
Common Name (e.g. server FQDN or YOUR name) []:Sparkling Root CA
Email Address []:

Create a few files where the CA will store it’s serials:

touch certindex
echo 1000 > certserial
echo 1000 > crlnumber

Place the CA config file. This file has stubs for CRL and OCSP endpoints.

# vim ca.conf
[ ca ]
default_ca = myca

[ crl_ext ]
issuerAltName=issuer:copy 
authorityKeyIdentifier=keyid:always

 [ myca ]
 dir = ./
 new_certs_dir = $dir
 unique_subject = no
 certificate = $dir/rootca.crt
 database = $dir/certindex
 private_key = $dir/rootca.key
 serial = $dir/certserial
 default_days = 730
 default_md = sha1
 policy = myca_policy
 x509_extensions = myca_extensions
 crlnumber = $dir/crlnumber
 default_crl_days = 730

 [ myca_policy ]
 commonName = supplied
 stateOrProvinceName = supplied
 countryName = optional
 emailAddress = optional
 organizationName = supplied
 organizationalUnitName = optional

 [ myca_extensions ]
 basicConstraints = critical,CA:TRUE
 keyUsage = critical,any
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer
 keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
 extendedKeyUsage = serverAuth
 crlDistributionPoints = @crl_section
 subjectAltName  = @alt_names
 authorityInfoAccess = @ocsp_section

 [ v3_ca ]
 basicConstraints = critical,CA:TRUE,pathlen:0
 keyUsage = critical,any
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer
 keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
 extendedKeyUsage = serverAuth
 crlDistributionPoints = @crl_section
 subjectAltName  = @alt_names
 authorityInfoAccess = @ocsp_section

 [alt_names]
 DNS.0 = Sparkling Intermidiate CA 1
 DNS.1 = Sparkling CA Intermidiate 1

 [crl_section]
 URI.0 = http://pki.sparklingca.com/SparklingRoot.crl
 URI.1 = http://pki.backup.com/SparklingRoot.crl

 [ocsp_section]
 caIssuers;URI.0 = http://pki.sparklingca.com/SparklingRoot.crt
 caIssuers;URI.1 = http://pki.backup.com/SparklingRoot.crt
 OCSP;URI.0 = http://pki.sparklingca.com/ocsp/
 OCSP;URI.1 = http://pki.backup.com/ocsp/

If you need to set a specific certificate start / expiry date, add the following to [myca]

# format: YYYYMMDDHHMMSS
default_enddate = 20191222035911
default_startdate = 20181222035911

Creating Intermediate 1 CA

Generate the intermediate CA’s private key:

openssl genrsa -out intermediate1.key 4096

Generate the intermediate1 CA’s CSR:

openssl req -new -sha256 -key intermediate1.key -out intermediate1.csr

Example output:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Zuid Holland
Locality Name (eg, city) []:Rotterdam
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Sparkling Network
Organizational Unit Name (eg, section) []:Sparkling CA
Common Name (e.g. server FQDN or YOUR name) []:Sparkling Intermediate CA
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Make sure the subject (CN) of the intermediate is different from the root.

Sign the intermediate1 CSR with the Root CA:

openssl ca -batch -config ca.conf -notext -in intermediate1.csr -out intermediate1.crt

Example Output:

Using configuration from ca.conf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'NL'
stateOrProvinceName   :ASN.1 12:'Zuid Holland'
localityName          :ASN.1 12:'Rotterdam'
organizationName      :ASN.1 12:'Sparkling Network'
organizationalUnitName:ASN.1 12:'Sparkling CA'
commonName            :ASN.1 12:'Sparkling Intermediate CA'
Certificate is to be certified until Mar 30 15:07:43 2017 GMT (730 days)

Write out database with 1 new entries
Data Base Updated

Generate the CRL (both in PEM and DER):

openssl ca -config ca.conf -gencrl -keyfile rootca.key -cert rootca.crt -out rootca.crl.pem

openssl crl -inform PEM -in rootca.crl.pem -outform DER -out rootca.crl

Generate the CRL after every certificate you sign with the CA.

If you ever need to revoke the this intermediate cert:

openssl ca -config ca.conf -revoke intermediate1.crt -keyfile rootca.key -cert rootca.crt

Configuring the Intermediate CA 1

Create a new folder for this intermediate and move in to it:

mkdir ~/SSLCA/intermediate1/
cd ~/SSLCA/intermediate1/

Copy the Intermediate cert and key from the Root CA:

cp ~/SSLCA/root/intermediate1.key ./
cp ~/SSLCA/root/intermediate1.crt ./

Create the index files:

touch certindex
echo 1000 > certserial
echo 1000 > crlnumber

Create a new ca.conf file:

# vim ca.conf
[ ca ]
default_ca = myca

[ crl_ext ]
issuerAltName=issuer:copy 
authorityKeyIdentifier=keyid:always

 [ myca ]
 dir = ./
 new_certs_dir = $dir
 unique_subject = no
 certificate = $dir/intermediate1.crt
 database = $dir/certindex
 private_key = $dir/intermediate1.key
 serial = $dir/certserial
 default_days = 365
 default_md = sha1
 policy = myca_policy
 x509_extensions = myca_extensions
 crlnumber = $dir/crlnumber
 default_crl_days = 365

 [ myca_policy ]
 commonName = supplied
 stateOrProvinceName = supplied
 countryName = optional
 emailAddress = optional
 organizationName = supplied
 organizationalUnitName = optional

 [ myca_extensions ]
 basicConstraints = critical,CA:FALSE
 keyUsage = critical,any
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer
 keyUsage = digitalSignature,keyEncipherment
 extendedKeyUsage = serverAuth
 crlDistributionPoints = @crl_section
 subjectAltName  = @alt_names
 authorityInfoAccess = @ocsp_section

 [alt_names]
 DNS.0 = example.com
 DNS.1 = example.org

 [crl_section]
 URI.0 = http://pki.sparklingca.com/SparklingIntermidiate1.crl
 URI.1 = http://pki.backup.com/SparklingIntermidiate1.crl

 [ocsp_section]
 caIssuers;URI.0 = http://pki.sparklingca.com/SparklingIntermediate1.crt
 caIssuers;URI.1 = http://pki.backup.com/SparklingIntermediate1.crt
 OCSP;URI.0 = http://pki.sparklingca.com/ocsp/
 OCSP;URI.1 = http://pki.backup.com/ocsp/

Change the [alt_names] section to whatever you need as Subject Alternative names. Remove it including thesubjectAltName = @alt_names line if you don’t want a Subject Alternative Name.

If you need to set a specific certificate start / expiry date, add the following to [myca]

# format: YYYYMMDDHHMMSS
default_enddate = 20191222035911
default_startdate = 20181222035911

Generate an empty CRL (both in PEM and DER):

openssl ca -config ca.conf -gencrl -keyfile rootca.key -cert rootca.crt -out rootca.crl.pem

openssl crl -inform PEM -in rootca.crl.pem -outform DER -out rootca.crl

Creating end user certificates

We use this new intermediate CA to generate an end user certificate. Repeat these steps for every end user certificate you want to sign with this CA.

mkdir enduser-certs

Generate the end user’s private key:

openssl genrsa -out enduser-certs/enduser-example.com.key 4096

Generate the end user’s CSR:

openssl req -new -sha256 -key enduser-certs/enduser-example.com.key -out enduser-certs/enduser-example.com.csr

Example output:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Noord Holland
Locality Name (eg, city) []:Amsterdam
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Inc
Organizational Unit Name (eg, section) []:IT Dept
Common Name (e.g. server FQDN or YOUR name) []:example.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Sign the end user’s CSR with the Intermediate 1 CA:

openssl ca -batch -config ca.conf -notext -in enduser-certs/enduser-example.com.csr -out enduser-certs/enduser-example.com.crt

Example output:

Using configuration from ca.conf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'NL'
stateOrProvinceName   :ASN.1 12:'Noord Holland'
localityName          :ASN.1 12:'Amsterdam'
organizationName      :ASN.1 12:'Example Inc'
organizationalUnitName:ASN.1 12:'IT Dept'
commonName            :ASN.1 12:'example.com'
Certificate is to be certified until Mar 30 15:18:26 2016 GMT (365 days)

Write out database with 1 new entries
Data Base Updated

Generate the CRL (both in PEM and DER):

openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem

openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl

Generate the CRL after every certificate you sign with the CA.

If you ever need to revoke the this end users cert:

openssl ca -config ca.conf -revoke enduser-certs/enduser-example.com.crt -keyfile intermediate1.key -cert intermediate1.crt

Example output:

Using configuration from ca.conf
Revoking Certificate 1000.
Data Base Updated

Create the certificate chain file by concatenating the Root and intermediate 1 certificates together.

cat ../root/rootca.crt intermediate1.crt > enduser-certs/enduser-example.com.chain

Send the following files to the end user:

enduser-example.com.crt
enduser-example.com.key
enduser-example.com.chain

You can also let the end user supply their own CSR and just send them the .crt file. Do not delete that from the server, otherwise you cannot revoke it.

Validating the certificate

You can validate the end user certificate against the chain using the following command:

openssl verify -CAfile enduser-certs/enduser-example.com.chain enduser-certs/enduser-example.com.crt 
enduser-certs/enduser-example.com.crt: OK

You can also validate it against the CRL. Concatenate the PEM CRL and the chain together first:

cat ../root/rootca.crt intermediate1.crt intermediate1.crl.pem > enduser-certs/enduser-example.com.crl.chain

Verify the certificate:

openssl verify -crl_check -CAfile enduser-certs/enduser-example.com.crl.chain enduser-certs/enduser-example.com.crt

Output when not revoked:

enduser-certs/enduser-example.com.crt: OK

Output when revoked:

enduser-certs/enduser-example.com.crt: CN = example.com, ST = Noord Holland, C = NL, O = Example Inc, OU = IT Dept
error 23 at 0 depth lookup:certificate revoked

How to Run You Own Certificate Authority on Linux

Run You Own Certificate Authority

Most websites, such as shopping, banking or email websites, need to let their customers know that the connection is secure. Thus, they need to pay a well-known and internationally trusted Certificate Authority (eg,VeriSign) to issue an SSL certificate. However, this isn’t always necessary. For example, if you’re setting up a virtual private network (VPN) or an intranet website, it might make more sense to issue your own certificates.

Being a Certificate Authority means dealing with cryptographic pairs of private keys and public certificates. Ideally the cryptographic pairs should be generated in a secure environment, which means a personal laptop or computer that is disconnected from the Internet. It is not recommended to generate any certificates directly on your server.

In this example, the /etc/CyberPunk/CA directory will be used to store all keys and certificates. The index.txt and serial files act as a kind of flat file database to help you keep track of all your keys and certificates.

Important: Ensure that your OpenSSL configuration file (/etc/CyberPunk/tls/openssl.cnf) specifiesdir=/etc/CyberPunk/CA within the [ CA_default ] section. Feel free to create your certificates within any other directory, as long as you change the dir= option to match.

cd/etc/CyberPunk/CA
mkdir certs crl newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial

The very first cryptographic pair we generate includes what is known as a  root certificate. The root key (ca.key.pem) generated in this step should be kept extremely secure, otherwise an attacker can issue valid certificates for themselves. We’ll therefore protect it with AES 256-bit encryption and a strong password just in case it falls into the wrong hands:

openssl genrsa -aes256 -out /etc/CyberPunk/CA/private/ca.key.pem 4096

Enter pass phrase for ca.key.pem: secretpassword
Verifying - Enter pass phrase for ca.key.pem: secretpassword

chmod 400 /etc/CyberPunk/CA/private/ca.key.pem

Open your OpenSSL configuration file (/etc/CyberPunk/tls/openssl.cnf) and look for the [ usr_cert ] and [ v3_ca ] sections. Make sure they contain the following options:

[ usr_cert ]
# These extensions are added when 'ca' signs a request.
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer

[ v3_ca ]
# Extensions for a typical CA
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = CA:true
keyUsage = cRLSign, keyCertSign

Now you can use the root key above to issue a root certificate (ca.cert.pem). In this example, the certificate is set to expire in ten years. As this is a Certificate Authority certificate, use the v3_ca extension. You will be prompted for some responses, which you can fill with whatever you like. For convenience, defaults can be set in the openssl configuration file.

openssl req -new -x509 -days 3650 -key /etc/CyberPunk/CA/private/ca.key.pem \
    -extensions v3_ca -out /etc/CyberPunk/CA/certs/ca.cert.pem

Enter pass phrase for ca.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
-----
Country Name (2 letter code) [XX]:AQ
State or Province Name (full name) []:Antarctica
Locality Name (eg, city) [Default City]:TuX City
Organization Name (eg, company) [Default Company Ltd]:CyberPunk
Organizational Unit Name (eg, section) []:N0WHERE
Common Name (eg, your name or your server's hostname) []:N0WHERE NET
Email Address []:admin@n0where.net

chmod 444 /etc/CyberPunk/CA/certs/ca.cert.pem

Armed with your root key (ca.key.pem) and root certificate (ca.cert.pem), you are now ready to create an intermediate certificate authority or issue and sign your own SSL certificates

Intermediate Certificate

An intermediate certificate authority (CA) is an intermediary that can sign certificates on behalf of the root certificate authority. A certificate can be signed by the intermediate CA, which itself is signed by the root certificate authority, so a chain of trust is formed.

Having an intermediate certificate authority makes life more convenient in the event that your key is compromised. Using your root certificate authority, you can revoke your compromised intermediate certificate authority and create another. It also allows you to keep your root CA completely off-line (eg, on an encrypted USB) and you will only have to use your root key to revoke or renew your intermediate certificate.

If you are acting as your own certificate authority, you can easily create an intermediate certificate authority. You should have a root key and root certificate inside the /etc/CyberPunk/CA directory. Use a completely new directory to hold your intermediate certificate authority and any certificates that you sign with it. In this case, the directory tree is created in /etc/CyberPunk/CA/intermediate:

cd /etc/CyberPunk/CA/intermediate
mkdir certs crl newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial

A different directory tree is being used, so you must let openssl know about this. First, copy your configuration file to the new directory:

 cp /etc/CyberPunk/tls/openssl.cnf /etc/CyberPunk/CA/intermediate/openssl.cnf

Then ensure dir=/etc/CyberPunk/CA/intermediate is specified within the [ CA_default ] section of your new configuration file.

Important: Whenever you want to create and sign a certificate with your intermediate certificate authority, you must pass the -config /etc/CyberPunk/CA/intermediate/openssl.cnf option so that openssl knows which directory holds your intermediate certificate authority.

Now you can create the intermediate key. Like the root key, this should be kept very secure.

cd /etc/CyberPunk/CA
openssl genrsa -aes256 -out intermediate/private/intermediate.key.pem 4096

Enter pass phrase for intermediate.key.pem: secretpassword
Verifying - Enter pass phrase for intermediate.key.pem: secretpassword

chmod 400 intermediate/private/intermediate.key.pem

Using the intermediate key, create the intermediate CSR. Make sure the Organizational Name matches the one set for your root certificate authority. You can leave the extra attributes empty.

 cd /etc/CyberPunk/CA
openssl req -config intermediate/openssl.cnf \
    -new -key intermediate/private/intermediate.key.pem \
    -out intermediate/certs/intermediate.csr.pem

Enter pass phrase for intermediate.key.pem: secretpassword
You are about to be asked to enter information that will be incorporated
into your certificate request.
-----
Country Name (2 letter code) [XX]:AQ
State or Province Name (full name) []:Antarctica
Locality Name (eg, city) [Default City]:TuX City
Organization Name (eg, company) [Default Company Ltd]:CyberPunk
Organizational Unit Name (eg, section) []:N0WHERE
Common Name (eg, your name or your server's hostname) []:N0WHERE NET
Email Address []:admin@n0where.net

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

You can now sign your intermediate CSR with your root certificate authority to issue an intermediate certificate. Use the v3_ca extension as this is a certificate authority certificate.

NB: Note that you can avoid having to specify -keyfile and -cert options by changing theprivate_key and certificate options in the [ CA_default ] section of your openssl configuration.

cd /etc/CyberPunk/CA
openssl ca -config intermediate/openssl.cnf  \
    -keyfile private/ca.key.pem \
    -cert certs/ca.cert.pem \
    -extensions v3_ca -notext -md sha1 \
    -in intermediate/certs/intermediate.csr.pem \
    -out intermediate/certs/intermediate.cert.pem

chmod 444 intermediate/certs/intermediate.cert.pem

To verify that your intermediate certificate is valid, run the following:

openssl verify -CAfile /etc/CyberPunk/CA/certs/ca.cert.pem \
/etc/CyberPunk/CA/intermediate/certs/intermediate.cert.pem

/etc/CyberPunk/CA/intermediate/certs/intermediate.cert.pem: OK

When an Internet browser or any other application tries to verify a certificate signed by your intermediate certificate authority, it will also need to verify the intermediate certificate against the root certificate. To do this, it will need a certificate chain file. This is created by simply concatenating your intermediate certificate and root certificate together:

cd /etc/CyberPunk/CA
cat intermediate/certs/intermediate.cert.pem \
    certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem

chmod 444 intermediate/certs/ca-chain.cert.pem

At this point you are ready to issue and sign certificates using your intermediate certificate authority. To verify that certificates signed by your intermediate certificate authority are valid, you must test them against the certificate chain file:

openssl verify -CAfile /etc/CyberPunk/CA/intermediate/certs/ca-chain.cert.pem \
    /etc/CyberPunk/CA/intermediate/certs/n0where.net.cert.pem

/etc/CyberPunk/CA/intermediate/certs/n0where.net.cert.pem: OK

Create and Sign SSL Certificates

If you’ve taken the necessary steps to become your own certificate authority, you are now in a position to issue and sign your own SSL certificates.

The first step is to create a private key. If your aim is to enable SSL on a web server, bear in mind that if the key is encrypted then you’ll have to enter the encryption password every time you restart your web server. Use the -aes256 argument if you wish to encrypt your private key.

If you have followed this tutorial through intermediate certificate authority setup  you should navigate to/etc/CyberPunk/CA/intermediate in the following steps (If you skipped intermediate part you should stay in /etc/CyberPunk/CA).

cd /etc/CyberPunk/CA
openssl genrsa -out private/n0where.net.key.pem 4096

chmod 400 private/n0where.net.key.pem

The next step is to generate a certificate signing request (CSR). Normally, you would send your CSR to a trusted certificate authority (eg, VeriSign) who will then send you back a signed certificate in exchange for money. You can instead sign it yourself for free.

Make sure that the Organization Name you choose below matches the one set for your CA root certificate. The extra attributes can be left blank. If you are creating a self-signed certificate, you would also use the -x509 and -days options.

cd /etc/CyberPunk/CA
openssl req -new -key private/n0where.net.key.pem \
    -out certs/n0where.net.csr.pem

You are about to be asked to enter information that will be incorporated
into your certificate request.
-----
Country Name (2 letter code) [XX]:AQ
State or Province Name (full name) []:Antarctica
Locality Name (eg, city) [Default City]:TuX City
Organization Name (eg, company) [Default Company Ltd]:CyberPunk
Organizational Unit Name (eg, section) []:N0WHERE
Common Name (eg, your name or your server's hostname) []:n0where.net
Email Address []:admin@n0where.net

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

As you are acting as your own certificate authority, you can use your certificate authority root key (ca.key.pem) and certificate authority root certificate (ca.cert.pem) to sign the CSR (n0where.net.csr.pem) and issue a new certificate (n0where.net.cert.pem).

NB: Note that you can avoid having to specify -keyfile and -cert options by changing theprivate_key and certificate options in the [ CA_default ] section of your openssl configuration.

cd /etc/CyberPunk/CA
openssl ca -keyfile private/ca.key.pem -cert certs/ca.cert.pem \
    -extensions usr_cert -notext -md sha1 \
    -in certs/n0where.net.csr.pem -out certs/n0where.net.cert.pem

chmod 444 /etc/CyberPunk/CA/certs/n0where.net.cert.pem

If you have followed the intermediate CA part then you can sign the CSR with your intermediate certificate authority instead. Just pass the -config /etc/CyberPunk/CA/intermediate/openssl.cnf option and change –keyfile and –cert to the intermediate key and certificate respectively.

The index.txt file is where the openssl ca tool stores the certificate database, so don’t delete it or edit it by hand! It should now contain a line referring to the certificate you just issued:

cat /etc/CyberPunk/CA/index.txt
V 140825154152Z   1000  unknown /C=AQ/ST=Antarctica/O=CyberPunk/OU=N0WHERE/CN=n0where.net/emailAddress=admin@n0where.net

You can verify the details of your certificate using openssl. Near the top of the output you will be able to see details of the issuer. This is the identity of the certificate authority that signed the certificate, which in this case is your own CA. The subject is the identity of the certificate you just signed:

 openssl x509 -in n0where.net.cert.pem -noout -text

Certificate:
        ...
        Issuer: C=AQ, ST=Antarctica, L=TuX City, O=CyberPunk CA, OU=N0WHERE, CN=N0WHERE NET/emailAddress=admin@n0where.net
        ...
        Subject: C=AQ, ST=Antarctica, O=CyberPunk CA, OU=N0WHERE, CN=n0where.net/emailAddress=admin@n0where.net
        ...

You can also use openssl to verify the certificate against your root CA:

 openssl verify -CAfile /etc/CyberPunk/CA/certs/ca.cert.pem \
    /etc/CyberPunk/CA/certs/n0where.net.cert.pem
www.example.com.cert.pem: OK

You can now use your signed certificate for fun and profit! To allow a service (eg, Apache) to make use of your certificate, the following files need to be transferred to your server:

• ca.cert.pem
• n0where.net.key.pem
• n0where.net.cert.pem

Clients can install your root certificate (ca.cert.pem) into their Internet browser. All certificates signed by you will then be trusted by their browser and they will no longer see a This Connection is Untrusted message. It’s a good idea to create a detached signature for your root certificate with GnuPG; clients can then verify that the certificate they’re installing in their browser really is the correct one.

On Debian and Ubuntu you have to copy the certificate.pem to /usr/local/share/ca-certificates and then run update-ca-certificates. /etc/ssl/certs is managed by that command.

Create the CRL

Before we can generate a CRL, we must create a crlnumber file, which openssl requires to keep track of the next CRL number to use:

echo 1000 > /etc/CyberPunk/CA/crlnumber

By default, the openssl configuration file (/etc/CyberPunk/tls/openssl.cnf) uses V1 CRL lists. Uncomment the crl_extensions = crl_ext line to enable V2 CRL lists. This is probably a good idea unless you have a strong reason to stick with V1 CRL lists (eg, using an Internet browser from the Jurassic period). Now you can generate the CRL.

NB: Note that you can avoid having to specify –keyfile and –cert options by changing theprivate_key and certificate options in the [ CA_default ] section of your openssl configuration.

cd /etc/CyberPunk/CA
openssl ca -keyfile private/ca.key.pem -cert certs/ca.cert.pem \
    -gencrl -out crl/crl.pem

You can view the CRL with this command:

 crl -in /etc/CyberPunk/CA/crl/crl.pem -text

There are several other CRL options that can be used when generating your CRL list. See the CRL OPTIONS section in the ca manual page (man ca) for more information.

Revoke the certificate

cd /etc/CyberPunk/CA
openssl ca -keyfile private/ca.key.pem -cert certs/ca.cert.pem \
    -revoke certs/bad.certificate.cert.pem

If you take another look at the index.txt database, you’ll see that the V at the start of the line has changed to an R, which means the certificate has been revoked.

cat /etc/CyberPunk/CA/index.txt

R 140825183639Z 130825184208Z 1000  unknown /C=AQ/ST=Antarctica/O=CyberPunk CA/OU=N0WHERE/CN=badcertificate.net/emailAddress=admin@n0where.net

Note that newly created certificates are also placed in the /etc/CyberPunk/CA/newcerts directory, with a filename that matches the serial number in index.txt.

Update the CRL

Now that badcertificate.net certificate has been revoked, we need to re-generate the CRL:

cd /etc/CyberPunk/CA
openssl ca -keyfile private/ca.key.pem -cert certs/ca.cert.pem \
    -gencrl -out crl/crl.pem

Let’s take another look at the CRL:

openssl crl -in /etc/CyberPunk/CA/crl/crl.pem -text

Certificate Revocation List (CRL):
...
Revoked Certificates:
    Serial Number: 1000
...