Python

PKI - Project CA

Introduction

The steps documented here are based on the jamielinux.com/docs/openssl-certificate-authority/ web site. The web site is a great source of information about the steps, the commands, what they do, etc.

Note: The steps found here are simplified for use in class.

Caveat

The steps define here are for a "demonstration/test" CA. For example, I am planning to use the certificates in a programming class.

It takes a lot more to run a "real" CA than OpenSSL commands. For example, physical security of the CA hardware, making public certificates available (LDAP directory?), Vetting request for certificates, etc.

Which Version of OpenSSL

On Ubuntu linux systems OpenSSL is already installed. You must check if it is installed on other system. Also make sure you are using a reasonably new version of OpenSSL.

openssl version

List Linux OpenSSH Bash Scripts, etc.

Bash scripts and OpenSSL configuration files are available that simplify creating the initial keys and certificates.

List The Linux OpenSSL Files (Zip File)

Step 1 - create directories and files

Yours directories will probably be different. Make the appropriate adjustments to the commands below.

cd /home/tom/
mkdir ca

cd ca
mkdir ca certs crl csr keys

touch index.txt
echo 1000 > serial

Dir	Description
/home/tom/ca/	CA root
/home/tom/ca/ca/	CA key, cert, ca-chain
/home/tom/ca/certs/	certificates signed by CA
/home/tom/ca/crl/	certificate revocation lists
/home/tom/ca/csr/	certificate signing requests
/home/tom/ca/keys/	certificate keys

Step 2 - download OpenSSL configuration files

Download the OpenSSL configuration files to the CA root directory (/home/tom/ca/).

List The Linux OpenSSL Files (Zip File)

Note: The CA's configuration files are the *.cnf files.

Step 3 - create CA key and cert

cd /home/tom/ca/
./create_ca_step1.bsh
./create_ca_step2.bsh

./display_ca_cert.bsh
./display_ca_key.bsh

chmod 444 ca/ca.cert.pem
chmod 400 ca/ca.key.pem

Step 4 - create server key and cert

cd /home/tom/ca/
./create_server_key.bsh
./create_server_csr.bsh
./create_server_cert.bsh

./display_server_cert.bsh

chmod 444 certs/server.cert.pem
chmod 400 keys/server.key.pem

Step 5 - create client key and cert

cd /home/tom/ca/
./create_client_key.bsh
./create_client_csr.bsh
./create_client_cert.bsh

./display_client_cert.bsh

chmod 444 certs/client.cert.pem
chmod 400 keys/client.key.pem

Step 6 - run the demo server and client

cd /home/tom/ca/
./run_demo_server.bsh
./run_demo_client.bsh
./run_demo_server_www.bsh

Step 7 - create a file digest (hash)¹

cd /home/tom/ca/
mkdir hashes pubkeys

./create_dgst.bsh
./verify_dgest.bsh

¹You will need the gettysburg_address.txt text file available here. Copy it to the /home/tom/ca/ directory.