OrganizationalUnitName = Organizational Unit NameĠ.organizationName_default = Grilled Cheese Inc. StateOrProvinceName = State or Province Name I pre-populate the section with values I'll commonly used to save typing down the road.ĬountryName = Country Name (2 letter code) # Extension to add when the -x509 option is used. # SHA-1 is deprecated, please use SHA-2 or greater instead. # Options for the `req` tool (`man req`).ĭistinguished_name = req_distinguished_name Some of the values listed will not be used since we are manually specifying them during certificate creation. The section is used for OpenSSL certificate requests. The root CA should only sign intermediate certificates that match. # SHA-1 is deprecated, so use SHA-2 or SHA-3 instead.įor the root CA, we define which will later force the intermediary's certificate to match country, state/province, and organization name fields. Private_key = $dir/private/ca.Ĭertificate = $dir/certs/ca.
Note the long values for default days (10 years) as we don't care about renewing the root certificate anytime soon.
Openssl print certificate update#
If you're using alternate directory names from this demo, update the file accordingly. The section in the openssl_root.cnf file contains the variables OpenSSL will use for the root CA. For the root CA certificate creation, the section is required and will gather it's configuration from the section. Copy the GIST openssl_root.cnf file to /root/ca/openssl_root.cnf which is already prepared for this demo. OpenSSL uses configuration files to simplify/template the components of a certificate. Since this is a test lab and I am operating as root, I won't be chmod'ing anything today. This will allow you to apply your preferred security practices should you choose to do so. We begin by creating a working root directory with sub directories for the various files we'll be creating. Create your CA database to keep track of signed certificates # cd /root/ca I have a small team and trust them with root within a lab environment (snapshots allow me to be this trusting). This affects ownership down the line if you chmod private key files and directories to user access only so determine for yourself what user/permission will be accessing files for certificate creation. I sudoed into bash and created everything under root aka playing with fire. This is for a test lab and permissions may not match real world requirements. Create Your Directory StructureĬreate a directory to store your root CA pair and config files. This is standard practice across the public and private PKI configurations and so too should your lab environments. The root CA will not sign client and server certificates, it's job it only to create intermeidary certificates and act as the root of our chain of trust. Creating the root CA requires us to generate a certificate and private key, since this is the first certificate we're creating, it will be self-signed. We can now begin creating our CA's root configuration. In our previous article, Introductions and Design Considerations for Eliptical Curves we covered the design requirements to create a two-tier ECC certificate authority based on NSA Suite B's PKI requirements.
0 kommentar(er)
