The Certificate Authority (CA)

On this page we are establishing ourselves in the role of the Certificate Authority so that we can grant and sign the certificates. This involves the generation of the private key for the Certificate Authority and the creation of the Root Certificate.

Creating the Private Key for the Certificate Authority

As prerequisite to creating a self-signed root certificate, a private key (with which this certificate will be signed) is needed for the Certificate Authority to sign the certificates it issues.

To create a private key using the RSA algorithm with the 'openssl genrsa' command, execute the following command line:

PS> openssl genrsa `
        -aes256 `
        -out certificate-authority/private/TheCertificateAuthority.key.pem ` # see the info in the Details below!
        4096
Details

In this command …​

  • -aes256 encrypt the generated private key with 256 bit AES encryption

  • -out defines the output filename as 'TheCertificateAuthority.key.pem' in the 'certificate-authority/private' folder of the CA envivronment.
    To be usable for signing certificates the specified path/filename has to match the 'private_key' option in the [ CA_DEFAULT ] setion of the ca.cnf file.

  • 4096 sets the length of the generated private key to 4096 bits

For further options of the genrsa command, see the OpenSSL documentation.

This starts the following dialog.
Enter a secret password for the Certificate Authority key instead of the '<CA key pass phrase>':

Enter pass phrase for private/TheCertificateAuthority.key.pem: <CA key pass phrase>
Verifying - Enter passphrase for private/TheCertificateAuthority.key.pem: <CA key pass phrase>

Creating the self-signed Root Certificate

Next, create a root certificate which includes the public key for the previously generated private key:

PS> openssl req `
        -new `
        -x509 `
        -config certificate-authority/ca.cnf `
        -key certificate-authority/private/TheCertificateAuthority.key.pem `
        -outform pem `
        -out certificate-authority/certs/TheCertificateAuthority.cert.pem    # see the info in the Details below!
Details

In this command …​

  • -new - normally triggers the generation of a new certificate request. When used in conjunction with '-x509' (below) - as in this case - it creates a new certificate. The user will be prompted for field values. The fields which are configured in the specified -extensions (see below) sections of the configuration file.

  • -x509 - creates a certificate according to the x.509 standard instead of a certificate request (see the '-new' parameter)

  • -days - defines the amount of days until the certificate expires. 7300 stands for 20 years.

  • -sha256 - specifies the digest type of the signature to be a 256 bit SHA-2 encrypted hash;
    To see a list of all available digesty type options execute

    PS> openssl dgst -list
  • -key - specifies the private key file (i.e. the one created in the previous step)

  • -outform - defines the output file format, here the base-64 encoded 'pem' format is used

  • -out - sets the path/filename for the generated certificate. If not provided, the certificate is written to the standard output.
    To be usable for signing certificates the specified path/filename has to match the 'certificate' option in the [ CA_DEFAULT ] section of the ca.cnf file.

For further options of the req command, see the OpenSSL documentation.

The following dialog will be displayed where the sugested default values are built-in in the openssl tool.
Please enter your company’s information for the Certificate Authority, replacing the '<examples>' with your actual data.

Enter pass phrase for certificate-authority/private/TheCertificateAuthority.key.pem: <CA key pass phrase>
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []: <DE>
State or Province Name []: <NRW>
Locality Name []: <Cologne>
Organization Name []: <TheCompany>
Organizational Unit Name []: <IT>
Common Name []: <theCompany.com>
Email Address []: <it@thecompany.com>

Verifying the Root Certificate

To verify the root certificate execute the following command line:

PS> openssl x509 `
        -noout `
        -text `
        -in certificate-authority/certs/TheCertificateAuthority.cert.pem
Details

In this command …​

  • -noout - prevents any other output than '-text'

  • -text - prints out the certificate in text form.

  • -in - specifies the file; here: certificate-authority/certs/TheCertificateAuthority.cert.pem

For further options of the 'x509' command, see the OpenSSL documentation.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            27:f6:e5:62:dc:eb:0d:cf:c7:13:57:d1:bc:69:06:31:cd:f9:2f:48
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=DE, ST=NRW, L=Cologne, O=TheCompany, OU=IT, CN=theCompany.com, emailAddress=it@thecompany.com
        Validity
            Not Before: Feb 14 15:06:31 2024 GMT
            Not After : Mar 15 15:06:31 2024 GMT
        Subject: C=DE, ST=NRW, L=Cologne, O=TheCompany, OU=IT, CN=theCompany.com, emailAddress=it@thecompany.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:cc:46:73:58:f0:ec:61:fe:97:4d:b5:00:06:b0:
                    62:3c:34:3b:33:0e:a2:66:48:85:27:5d:52:cb:32:
                    b4:fa:7b:66:54:b2:eb:b4:0d:c2:3c:e1:ec:12:40:
                    a0:b3:6f:10:d7:03:f4:0a:71:bb:5f:b3:79:d9:b8:
                    2a:8b:df:b2:60:0d:88:bc:b1:49:0e:03:f0:a6:f6:
                    54:97:cc:ce:17:b0:56:55:6f:a2:f6:e2:32:7f:b1:
                    34:f7:28:13:d8:22:66:2b:47:5f:10:48:f1:e3:d1:
                    62:2e:22:f2:d2:b6:c1:ec:30:da:ef:10:95:9f:db:
                    3c:4c:4e:38:23:7f:25:7c:7d:9d:53:10:b2:bf:59:
                    f4:78:43:db:0b:ef:2d:6a:b5:0c:6c:ab:dc:a3:e3:
                    ea:ad:b0:bb:95:60:66:f4:37:7f:fb:d1:74:95:44:
                    f5:d6:7b:47:c2:7a:fb:20:5b:1c:39:ed:75:06:a0:
                    00:67:0c:36:c5:b8:9f:f5:ba:60:e6:96:94:15:27:
                    08:94:0c:a9:5f:20:4c:62:d7:60:8a:3f:8d:16:e2:
                    39:54:8c:62:87:32:e4:4a:7e:0f:95:0b:e3:7d:a1:
                    8e:8d:75:f5:f9:44:f9:78:6b:f9:48:6b:66:81:36:
                    a0:ca:ef:d3:bb:5a:d7:44:ee:cc:e7:32:f7:23:06:
                    cf:7b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                F0:4D:88:AE:3D:B6:D7:BA:32:FC:01:84:CF:47:73:87:65:1C:A1:C1
            X509v3 Authority Key Identifier:
                F0:4D:88:AE:3D:B6:D7:BA:32:FC:01:84:CF:47:73:87:65:1C:A1:C1
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        42:91:bf:ba:05:e1:47:6f:71:d5:b4:87:a0:db:16:ef:44:bc:
        da:35:b0:de:df:60:b2:96:19:9e:7e:eb:0e:47:2e:51:ec:3e:
        6d:9a:48:0e:16:59:f4:34:d9:57:bb:bc:aa:43:f4:25:58:e1:
        6b:65:12:d4:ca:74:8e:94:3e:79:25:78:de:b8:6e:98:69:89:
        57:15:87:49:38:b7:4f:96:06:48:c1:b7:18:15:1d:82:99:50:
        aa:92:c4:d4:db:73:69:99:c1:3f:02:d1:a1:0e:43:73:25:03:
        6b:90:cf:55:de:ce:87:49:a6:d8:d0:0c:15:7d:dc:22:c6:96:
        bf:3d:50:7e:93:b7:f3:49:fe:74:dd:de:06:17:45:7f:75:7d:
        13:0f:f7:93:95:2b:d1:31:99:36:66:33:7a:2d:20:e9:f3:91:
        01:b7:c8:19:ea:4a:1b:0d:e1:75:90:c3:ee:6a:a5:7d:03:04:
        ca:60:f4:a3:7a:24:d1:c5:df:a8:95:d3:4e:83:9a:f4:94:e8:
        6d:88:a9:6d:f4:cf:9f:ad:45:c9:03:7f:65:cd:f0:b7:2e:73:
        ef:88:07:d6:ab:b9:ec:45:0f:60:13:0c:7c:3a:ae:10:28:91:
        45:9f:b8:d9:b4:07:55:bc:15:25:60:a8:60:1d:2a:73:c6:0b:
        b4:b9:4b:db

Continue Reading

Now you are prepared to act as the Certificate Authority and issue signed certificates for incoming Certificate Signing Requests (CSRs).

How Certificate Signing Requests are generated, is addressed on the next page.