Setup der OpenSSL Intermediar Certificate Authority
Intermediate CA Setup
Vorbereitung der Struktur
cd /<intermediate-ca-verzeichnis>
mkdir intermediate
cd intermediate
mkdir certs crl newcerts private csr
chmod 700 private
touch index.txt
echo 1000 > serial
cd intermediate
mkdir certs crl newcerts private csr
chmod 700 private
touch index.txt
echo 1000 > serial
Konfigurationsdatei
vi openssl.cfg
HOME = /CA/
oid_section = new_oids
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = $HOME/intermediate # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $certs/intermediatecert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/intermediatecrl.pem # The current CRL
private_key = $dir/private/intermediatekey.pem# The private key
x509_extensions = usr_cert # The extensions to add to the cert
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 4096
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert
string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = DE
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Hessen
localityName = Locality Name (eg, city)
localityName_default = Freigericht
0.organizationName = Organization Name (eg, company)
0.organizationName_default = HCON
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Consulting
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = HCON Intermediate CA
emailAddress = Email Address
emailAddress_max = 64
emailAddress_default = Diese E-Mail-Adresse ist vor Spambots geschützt! Zur Anzeige muss JavaScript eingeschaltet sein!
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
[ crl_ext ]
authorityKeyIdentifier=keyid:always
[ server_cert ]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ proxy_cert_ext ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
[ tsa ]
default_tsa = tsa_config1 # the default TSA section
[ tsa_config1 ]
dir = ./demoCA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
# (optional)
certs = $dir/cacert.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
signer_digest = sha256 # Signing digest to use. (Optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?
# (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply?
# (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)
ess_cert_id_alg = sha1 # algorithm to compute certificate
# identifier (optional, default: sha1)
Anlegen des Intermediate CA Keys und Zertifikats
# cd /<intermediate-ca-verzeichnis>
# openssl genrsa -aes256 -out private/intermediatekey.pem 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
.........................++++
............................................................................................++++
e is 65537 (0x010001)
Enter pass phrase for private/intermediatekey.pem:
Verifying - Enter pass phrase for private/intermediatekey.pem:
# openssl req -config openssl.cnf -new -sha256 -key private/intermediate.key.pem -out csr/intermediate.csr.pem
Enter pass phrase for private/intermediatekey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Hessen]:
Locality Name (eg, city) [Freigericht]:
Organization Name (eg, company) [HCON]:
Organizational Unit Name (eg, section) [Consulting]:
Common Name (e.g. server FQDN or YOUR name) [HCON Intermediate CA]:
Email Address [Diese E-Mail-Adresse ist vor Spambots geschützt! Zur Anzeige muss JavaScript eingeschaltet sein!]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# cd /<root-ca-verzeichnis>
# openssl ca -config openssl.cnf -extensions intermediate_ca -days 3650 -notext -md sha256 -in ../intermediate/csr/intermediatecsr.pem -out ../intermediate/certs/intermediatecert.pem
Using configuration from openssl.cnf
Enter pass phrase for /CA//ca/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Feb 2 09:05:33 2021 GMT
Not After : Jan 31 09:05:33 2031 GMT
Subject:
countryName = DE
stateOrProvinceName = Hessen
organizationName = HCON
organizationalUnitName = Consulting
commonName = HCON Intermediate CA
emailAddress = Diese E-Mail-Adresse ist vor Spambots geschützt! Zur Anzeige muss JavaScript eingeschaltet sein!
X509v3 extensions:
X509v3 Subject Key Identifier:
CD:8C:35:0F:1F:95:D3:09:4C:3C:0C:9C:66:BD:2E:78:DC:FF:F0:C3
X509v3 Authority Key Identifier:
keyid:62:4B:D8:4A:6C:B4:40:A6:23:A6:35:A3:07:B8:57:8E:9A:0C:54:C2
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Certificate is to be certified until Jan 31 09:05:33 2031 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
# cd /<intermediate-ca-verzeichnis>
# openssl x509 -noout -text -in certs/intermediatecert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4096 (0x1000)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = DE, ST = Hessen, L = Freigericht, O = HCON, OU = Consulting, CN = HCON Root CA, emailAddress = Diese E-Mail-Adresse ist vor Spambots geschützt! Zur Anzeige muss JavaScript eingeschaltet sein!
Validity
Not Before: Feb 2 09:05:33 2021 GMT
Not After : Jan 31 09:05:33 2031 GMT
Subject: C = DE, ST = Hessen, O = HCON, OU = Consulting, CN = HCON Intermediate CA, emailAddress = Diese E-Mail-Adresse ist vor Spambots geschützt! Zur Anzeige muss JavaScript eingeschaltet sein!
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:b5:84:c8:f1:72:e5:eb:95:0c:8a:8b:fe:1f:13:
86:00:b3:14:35:c5:b7:f4:56:37:c8:09:ef:00:84:
bb:91:af:5e:a2:8d:e9:43:09:e4:b3:53:75:1d:de:
16:e9:1c:62:b8:53:9c:0f:d1:7c:f5:d6:27:59:5d:
a0:23:18:ad:1c:57:8b:8b:11:c5:c2:c1:c7:5c:27:
8d:e8:b4:38:0c:8f:53:45:d1:6a:6f:5f:26:45:c0:
00:6a:f1:52:9f:d9:85:a0:3d:66:90:6d:84:7e:80:
d2:3b:9d:37:24:8d:e4:f2:12:de:ec:73:a5:91:6a:
5b:46:7f:27:f2:49:24:70:50:77:c5:d7:e6:83:97:
65:9c:4d:1d:a2:ff:89:5c:72:09:b3:2c:51:77:45:
84:05:e3:3a:4f:23:fe:c7:7b:7a:1e:21:34:49:61:
57:fe:aa:f1:54:26:b8:a1:67:75:b3:aa:b7:4d:8e:
ed:02:de:eb:60:28:17:d3:6b:8c:19:cc:20:24:b1:
eb:08:b5:db:d6:7c:2c:52:2f:dd:49:13:de:28:b6:
1e:82:f4:22:85:76:21:c0:1e:31:56:7a:0f:9c:4f:
e0:8c:e3:82:25:dc:30:13:a7:16:ee:04:dd:2e:15:
52:9f:0c:c4:da:12:ea:42:88:43:fd:13:d3:69:a1:
dc:b1:50:a1:0a:78:1e:c4:cf:29:71:02:a0:94:0a:
fe:97:92:f3:4c:ff:e9:86:01:c4:66:cc:26:b1:11:
7c:15:15:bb:1d:d6:1b:a1:68:ce:64:86:18:07:09:
a6:b8:30:eb:78:0c:78:bf:09:64:a6:10:df:7c:95:
a2:cc:7e:79:a8:41:a8:57:65:cb:8d:b1:95:1e:d8:
11:e1:07:db:3a:79:c3:b4:7e:78:2e:e2:fa:92:dc:
18:91:cc:6a:0c:ec:d2:7a:89:2c:56:b9:8a:03:5f:
92:e5:2a:9d:7f:f4:c4:1d:9c:1a:0f:47:bd:d3:6a:
bd:bc:c6:0c:10:14:75:f0:f4:cf:7f:da:02:71:07:
fe:fe:03:c8:7a:9a:e0:70:8f:3b:2b:12:03:d1:e2:
14:de:8d:b4:93:18:dc:4b:42:77:ba:d6:0f:c5:ac:
ac:7c:d6:53:d7:92:b2:11:b7:6e:1c:35:d0:10:b6:
cc:ad:66:56:5c:6c:e1:3e:ab:76:ca:79:15:da:50:
ff:9f:98:5f:6c:89:f6:74:93:8f:91:80:02:05:96:
a8:b2:42:38:1a:45:0f:7f:c3:fb:84:c0:88:3a:98:
c5:d3:25:19:8e:ef:cf:fd:9b:2f:41:fb:f5:0f:d2:
29:d6:cf:28:2e:49:b3:ba:d5:eb:af:3f:83:8b:a6:
d2:88:3d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
CD:8C:35:0F:1F:95:D3:09:4C:3C:0C:9C:66:BD:2E:78:DC:FF:F0:C3
X509v3 Authority Key Identifier:
keyid:62:4B:D8:4A:6C:B4:40:A6:23:A6:35:A3:07:B8:57:8E:9A:0C:54:C2
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
a0:18:8a:c4:0a:66:86:b8:b9:e9:f6:7f:4f:5d:1c:68:33:db:
c6:cc:87:0d:32:32:d2:e3:0a:ca:15:ce:b9:a8:d0:6e:40:51:
38:af:ea:e9:cd:5b:da:66:a6:c0:19:54:b5:60:bb:a1:09:23:
41:04:f3:d2:db:65:76:3a:66:2b:90:a7:61:d9:13:5d:f9:a0:
88:e9:ec:03:33:97:bb:a6:88:12:4c:d1:de:6a:14:ba:cc:39:
62:82:72:4b:77:45:28:81:f3:28:f4:8c:dc:32:4e:de:b4:39:
88:f3:44:93:b9:97:ed:9b:65:7a:46:79:38:01:5e:37:95:60:
e4:f5:c9:c5:e4:6a:0c:21:0a:39:11:ea:80:61:91:b6:19:d9:
33:17:88:aa:0b:56:a7:e8:8a:4b:bd:fb:93:1e:e0:22:45:da:
6d:42:24:c5:ce:d2:6d:8c:37:25:64:95:6e:da:c0:9c:1b:fa:
49:f4:33:09:33:5c:16:6b:e8:63:c6:54:1b:07:12:3d:c9:19:
1e:17:0c:3b:45:64:8d:28:d9:07:c1:ea:a3:72:d2:32:fc:4c:
c0:45:f7:6a:49:c7:e9:89:84:01:38:4f:7e:0d:e3:4d:75:a4:
da:77:14:4c:37:35:fc:3f:a2:24:1e:17:88:4c:dd:4f:35:85:
db:d6:c0:fd:83:31:f8:ed:99:e2:87:70:62:70:7f:21:fd:80:
b6:cf:a9:f7:97:d8:42:9c:98:42:ac:0b:be:09:85:cc:17:8d:
c9:19:d3:c6:35:b2:ff:37:b7:0e:13:0e:f4:96:59:56:60:c9:
7f:64:d0:d1:02:13:a5:0c:eb:b7:1c:82:4c:4a:0d:f9:97:d8:
bf:dc:1c:66:d6:7d:6b:d6:98:74:76:e6:40:b6:51:91:9c:48:
68:99:53:c3:a1:fe:78:cf:c1:a8:14:64:cd:93:62:52:ae:e9:
e3:e2:c2:e0:9a:67:49:b0:37:7c:1c:cf:87:a9:e2:be:ff:ef:
3d:cb:13:fe:9d:f2:53:df:0f:e7:29:f0:d6:29:ef:32:be:a6:
2f:a7:80:36:4b:3c:cb:af:f4:6b:a3:f7:2f:9e:05:3c:07:a9:
ef:d5:5d:b5:ae:fd:e0:d6:ff:f8:e4:65:09:93:5e:b7:21:1a:
cf:e2:bd:8e:64:aa:1e:3e:8e:ee:36:1b:1d:06:98:2e:16:97:
6a:52:bb:93:73:40:b9:60:4f:14:ea:12:c1:0a:ad:09:b2:b1:
c6:c9:ec:f8:3b:42:24:f2:c0:08:4f:39:a2:a2:b5:9d:16:64:
7c:bf:83:9d:9a:c2:90:77:b4:b4:68:65:58:ed:09:fc:ba:97:
9c:99:80:4a:a2:72:07:63