| |
Preparations |
|
|
Subject: Preparations
Author: authen
In response to: SSL/TLS Certificate Authority via OpenSSL Win64
Posted on: 09/11/2015 11:04:29 PM
Follow this examples:
http://pki-tutorial.readthedocs.org/en/latest/simple/
Download the following configuration files
rootCA.conf -- used for Root CA req and ca[b/]
interCA.conf -- used for Signing CA req and ca[b/]
email.conf -- used for user's certificate req
server.conf -- used for server's certificate req
The windows version of the above files used in this thread are as follows:
rootCA.conf
# Simple Root CA
# The [default] section contains global constants that can be referred to from
# the entire configuration file. It may also hold settings pertaining to more
# than one openssl command.
[ default ]
ca = rootCA # CA name
dir = . # Top dir
# The next part of the configuration file is used by the openssl req command.
# It defines the CA's key pair, its DN, and the desired extensions for the CA
# certificate.
[ req ]
default_bits = 2048 # RSA key size
encrypt_key = yes # Protect private key
default_md = sha1 # MD to use
utf8 = yes # Input is UTF-8
string_mask = utf8only # Emit UTF-8 strings
prompt = no # Don't prompt for DN
distinguished_name = ca_dn # DN section
req_extensions = ca_reqext # Desired extensions
[ ca_dn ]
0.domainComponent = "org"
1.domainComponent = "simple"
organizationName = "Simple Inc"
organizationalUnitName = "Simple Root CA"
commonName = "Simple Root CA"
[ ca_reqext ]
keyUsage = critical,keyCertSign,cRLSign
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
# The remainder of the configuration file is used by the openssl ca command.
# The CA section defines the locations of CA assets, as well as the policies
# applying to the CA.
[ ca ]
default_ca = root_ca # The default CA section
[ root_ca ]
certificate = $dir/myCA/$ca.crt # The CA cert
private_key = $dir/myCA/$ca/$ca.key # CA private key
new_certs_dir = $dir/myCA/$ca # Certificate archive
serial = $dir/myCA/$ca/$ca.srl # Serial number file
crlnumber = $dir/myCA/$ca/$ca.crl # CRL number file
database = $dir/myCA/$ca/$ca.db # Index file
unique_subject = no # Require unique subject
default_days = 3652 # How long to certify for
default_md = sha1 # MD to use
policy = match_pol # Default naming policy
email_in_dn = no # Add email to cert DN
preserve = no # Keep passed DN ordering
name_opt = ca_default # Subject DN display options
cert_opt = ca_default # Certificate display options
copy_extensions = none # Copy extensions from CSR
x509_extensions = signing_ca_ext # Default cert extensions
default_crl_days = 365 # How long before next CRL
crl_extensions = crl_ext # CRL extensions
# Naming policies control which parts of a DN end up in the certificate and
# under what circumstances certification should be denied.
[ match_pol ]
domainComponent = match # Must match 'simple.org'
organizationName = match # Must match 'Simple Inc'
organizationalUnitName = optional # Included if present
commonName = supplied # Must be present
[ any_pol ]
domainComponent = optional
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
# Certificate extensions define what types of certificates the CA is able to
# create.
[ root_ca_ext ]
keyUsage = critical,keyCertSign,cRLSign
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
[ signing_ca_ext ]
keyUsage = critical,keyCertSign,cRLSign
basicConstraints = critical,CA:true,pathlen:0
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
# CRL extensions exist solely to point to the CA certificate that has issued
# the CRL.
[ crl_ext ]
authorityKeyIdentifier = keyid:always
interCA.conf
# Simple Signing CA
# The [default] section contains global constants that can be referred to from
# the entire configuration file. It may also hold settings pertaining to more
# than one openssl command.
[ default ]
ca = interCA # CA name
dir = . # Top dir
# The next part of the configuration file is used by the openssl req command.
# It defines the CA's key pair, its DN, and the desired extensions for the CA
# certificate.
[ req ]
default_bits = 2048 # RSA key size
encrypt_key = yes # Protect private key
default_md = sha1 # MD to use
utf8 = yes # Input is UTF-8
string_mask = utf8only # Emit UTF-8 strings
prompt = no # Don't prompt for DN
distinguished_name = ca_dn # DN section
req_extensions = ca_reqext # Desired extensions
[ ca_dn ]
0.domainComponent = "org"
1.domainComponent = "simple"
organizationName = "Simple Inc"
organizationalUnitName = "Simple Signing CA"
commonName = "Simple Signing CA"
[ ca_reqext ]
keyUsage = critical,keyCertSign,cRLSign
basicConstraints = critical,CA:true,pathlen:0
subjectKeyIdentifier = hash
# The remainder of the configuration file is used by the openssl ca command.
# The CA section defines the locations of CA assets, as well as the policies
# applying to the CA.
[ ca ]
default_ca = signing_ca # The default CA section
[ signing_ca ]
certificate = $dir/myCA/$ca.crt # The CA cert
private_key = $dir/myCA/$ca/$ca.key # CA private key
new_certs_dir = $dir/myCA/$ca # Certificate archive
serial = $dir/myCA/$ca/$ca.srl # Serial number file
crlnumber = $dir/myCA/$ca/$ca.crl # CRL number file
database = $dir/myCA/$ca/$ca.db # Index file
unique_subject = no # Require unique subject
default_days = 730 # How long to certify for
default_md = sha1 # MD to use
policy = match_pol # Default naming policy
email_in_dn = no # Add email to cert DN
preserve = no # Keep passed DN ordering
name_opt = ca_default # Subject DN display options
cert_opt = ca_default # Certificate display options
copy_extensions = copy # Copy extensions from CSR
x509_extensions = email_ext # Default cert extensions
default_crl_days = 7 # How long before next CRL
crl_extensions = crl_ext # CRL extensions
# Naming policies control which parts of a DN end up in the certificate and
# under what circumstances certification should be denied.
[ match_pol ]
domainComponent = match # Must match 'simple.org'
organizationName = match # Must match 'Simple Inc'
organizationalUnitName = optional # Included if present
commonName = supplied # Must be present
[ any_pol ]
domainComponent = optional
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
# Certificate extensions define what types of certificates the CA is able to
# create.
[ email_ext ]
keyUsage = critical,digitalSignature,keyEncipherment
basicConstraints = CA:false
extendedKeyUsage = emailProtection,clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
[ server_ext ]
keyUsage = critical,digitalSignature,keyEncipherment
basicConstraints = CA:false
extendedKeyUsage = serverAuth,clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
# CRL extensions exist solely to point to the CA certificate that has issued
# the CRL.
[ crl_ext ]
authorityKeyIdentifier = keyid:always
email.conf
# Email certificate request
# This file is used by the openssl req command. Since we cannot know the DN in
# advance the user is prompted for DN information.
[ req ]
default_bits = 2048 # RSA key size
encrypt_key = yes # Protect private key
default_md = sha1 # MD to use
utf8 = yes # Input is UTF-8
string_mask = utf8only # Emit UTF-8 strings
prompt = yes # Prompt for DN
distinguished_name = email_dn # DN template
req_extensions = email_reqext # Desired extensions
[ email_dn ]
0.domainComponent = "1. Domain Component (eg, com) "
1.domainComponent = "2. Domain Component (eg, company) "
2.domainComponent = "3. Domain Component (eg, pki) "
organizationName = "4. Organization Name (eg, company) "
organizationalUnitName = "5. Organizational Unit Name (eg, section) "
commonName = "6. Common Name (eg, full name)"
commonName_max = 64
emailAddress = "7. Email Address (eg, name@fqdn)"
emailAddress_max = 40
[ email_reqext ]
keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = emailProtection,clientAuth
subjectKeyIdentifier = hash
subjectAltName = email:move
server.conf
# TLS server certificate request
# This file is used by the openssl req command. The subjectAltName cannot be
# prompted for and must be specified in the SAN environment variable.
[ default ]
SAN = DNS:yourdomain.tld # Default value
[ req ]
default_bits = 2048 # RSA key size
encrypt_key = no # Protect private key
default_md = sha1 # MD to use
utf8 = yes # Input is UTF-8
string_mask = utf8only # Emit UTF-8 strings
prompt = yes # Prompt for DN
distinguished_name = server_dn # DN template
req_extensions = server_reqext # Desired extensions
[ server_dn ]
0.domainComponent = "1. Domain Component (eg, com) "
1.domainComponent = "2. Domain Component (eg, company) "
2.domainComponent = "3. Domain Component (eg, pki) "
organizationName = "4. Organization Name (eg, company) "
organizationalUnitName = "5. Organizational Unit Name (eg, section) "
commonName = "6. Common Name (eg, FQDN) "
commonName_max = 64
[ server_reqext ]
keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth,clientAuth
subjectKeyIdentifier = hash
#subjectAltName = $ENV::SAN
>
> On 09/11/2015 10:45:19 PM authen wrote:
OpenSSL for Windows 64-bits download:
Download:
Go to http://www.indyproject.org/Sockets/fpc/OpenSSLforWin64.en.aspx
Click on AMD64-Win64OpenSSL-0_9_8g.zip
Extract files from the zip
References:
|
|
|
|
