This is the Certificate of Authority. This will be used to validate all of the later certificates you create. You will be putting part of the CA into each and every one of your machines, saying “anything signed by this is valid.”

The premier thing here is security. You will be creating a certificate that will tell everyone connecting “hey, I vouch for this web site, whatever. I trust it, it is really what it says it is.”

This is controlled through your private key, and whatever password you put on it. Anyone who has access to those two things, and can do a little DNS poisoning, can totally own you.

Large companies, like Let's Encrypt, or Thawte, or whatever, are set up so it takes three or four people, together, to get access to the CA.

At Daily Data, the password is available to the owner and the senior technician (who has worked for the company over 20 years). The private key is stored in three secure locations, and the password is written down in our company's safe deposit box.

Hope I've made it clear. Think security, especially if you are something other than an individual or a Mom and Pop (and even then, think security).

Since I work for Daily Data, I'll use that to create the names below. We have a server that has limited access and is generally turned off, and I'll use that machine. It is a Linux machine, so I'll create a directory structure under /opt.

Ok, these instructions are just a guideline. More details follow.

# create a little directory tree. 
# Not required, but allows the certs to be kept organized
mkdir -p /opt/localCert/newcerts
mkdir -p /opt/localCert/private
# this will store the indicies. Again, not required
touch /opt/localCert/DailyDataCAindex
cd /opt/localCert
# create a random rsa key pair of 2048 bits and ask for encryption passphrase (min 8 char)
openssl genpkey -algorithm RSA --outform PEM --des3 --out DailyDataCA.key --pkeyopt rsa_keygen_bits:2048
# Create a CA certificate from it. You'll need to answer a bunch of questions here
# see "create a config file" to keep from having to do that.
openssl req -x509 -new -key DailyDataCA.key -sha256 -days 3650 -out DailyDataCA.crt

The following command will generate the private key for your CA. I have used \ to make it multi-line (it is all one command, so make sure no spaces after the \'s)

openssl \
   genpkey \
   -algorithm RSA \
   --outform PEM \
   --des3 \
   --out DailyDataCA.key \
   --pkeyopt rsa_keygen_bits:2048

When run, it will generate a 2048 bit private key, then ask you for a passphrase (then again to verify). Here is a breakdown of the parameters:

• genpkey - openssl has multiple functions. This says you want to generate a private key. Notice there is no dash before the command.
• -algorithm - Generate using RSA. You should use this for all private keys unless you know a reason not to.
• -outform - Output format. PEM is the default, so you don't have to enter this. You can also choose DER, which I don't know anything about.
• -des3 - use triple-des (des3) to encrypt the key. Will ask for passphrase at end. Minimum of 8 characters, but more is better (like 20 something)
• -out - followed by the file name to put the private key in. If not specified, will send output to STDOUT
• -pkeyopt - options specific to the key you are generating. In this case, we are saying the rsa key will be 2048 bits in length

Note: you can use the -pass parameter to accept the password from a file (or stdin). See the options in the Pass Phrase Options of man 1 openssl on unix machines

Note: you do not have to use a password if you can ensure the key is secure at all times. Simply remove -des3 from the command.

Note: The old way of generating keys was to use the command

openssl genrsa -des3 -out DailyDataCA.key 2048

but that has been supercseded by genpkey.

By creating a configuration file, you can bypass a lot of redundant questions and answers when generationg certificates. I name it openssl.cnf and place it in the directory with my CA files. The following is not correct at this time (stil working on the documentation).

openssl.cnf

# this section is for requests
[ req ]
default_bits           = 2048 # make all private keys 2048 bits (default)
default_md             = sha256 # use sha256 (default)
prompt                 = no  # do not ask any questions you don't have to
distinguished_name     = req_distinguished_name # section where DN information stored
 
# section holds Distinguished Name fields so we don't have to enter them all the time
# Instead of abbreviations used below, may also use 
# commonName, countryName, localityName, organizationName, organizationalUnitName, stateOrProvinceName
[ req_distinguished_name ]
C                      = GB
ST                     = Test State or Province
L                      = Test Locality
O                      = Organization Name
OU                     = Organizational Unit Name
CN                     = Common Name
emailAddress           = test@email.address
 
# used when generating certificate of authorities (ca)
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = critical, CA:true

Now that you have a private key, we can use that to create a certificate to be used to sign the certificates. The file created (with a .pem suffix) will also be added to each device that needs to access certificates generated. So, for example, workstations where people are accessing internal web sites which will have certificates signed by the CA.

openssl \
   req \
   -x509 \
   -new \
   -key DailyDataCA.key \
   -sha256 \
   -days 3650 \
   -config openssl.cnf \
   -reqexts v3_ca \
   -out DailyDataCA.pem

This will read the key file (.key) and generate a certificate from it. Parameters are:

• req - We are doing a certificate request
• -x509 - we want an X509 certificate created. This is a self-signed certificate (instead of a certificate request). Required for generating a CA
• -new - Create a new certificate. This will require you to answer questions to generate a Distinguished Name (DN) if you did not create a config file with that information.
• -key - the name of the keyfile created earlier
• -sha256 - The digest used to create the certificate. This is the default for RSA and only here for documentation
• -days - The number of days the certificate is valid. Before this time is up, a new CA must be generated, deployed to all workstations and new certs signed by the new key deployed to all services. Default is 30 days, but we set it to 10 years.
• -config - Name of the configuration file to use (if you created one).
• -reqexts - use v3_ca section of config file also (for generating CA)
• -out - name of the output file.

Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Texas Locality Name (eg, city) []:Dallas Organization Name (eg, company) [Internet Widgits Pty Ltd]:Daily Data Organizational Unit Name (eg, section) []:Home Office Common Name (e.g. server FQDN or YOUR name) []:Rod Email Address []:joe@dailydata.net