OpenSSL Configuration

A configuration file is required to define the basic operation of OpenSSL. It is possible to use the system config file or a configuration file may be specified on the command line while working with OpenSSL commands. The later approach was chosen. Next step is the creation of a basic OpenSSL configuration file that will be used to create the certificates.

  1. Create a file openssl.cnf
    $ touch openssl.cnf
  2. Edit the created configuration file and add some content
    HOME = /srv/pki

    [ ca ]
    default_ca = CA-default

    [ CA-default ]
    dir = $HOME/CA-root
    RANDFILE = $HOME/.rand
    database = $dir/index.txt
    serial = $dir/serial
    certificate = $dir/ca.crt
    new_certs_dir = $dir/new_certs
    certs = $dir/certs
    policy = policy_match_root
    x509_extensions = extension_root_cert

    [ policy_match_root ]
    countryName = optional
    stateOrProvinceName = optional
    organizationName = optional
    organizationalUnitName = optional
    commonName = supplied
    emailAddress = optional

    [ extension_root_cert ]
    basicConstraints = CA:true
    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid,issuer:always

  3. Create a rand file .rnd
    $ openssl rand -out .rnd -base64 2048
  4. Create Diffie hellman parameter file dh2048
    $ openssl dhparam -out dh2048.pem 2048
  5. Create private key and selfsigned certificate for the Root CA
    $ openssl req -new -x509 -config openssl.cnf -days 3650 -set_serial 0 -newkey rsa:2048 -out CA-root/ca.crt -keyout CA-root/ca.key
  6. View the Root CA certificate created in the previous step
    $ openssl x509 -in CA-root/ca.crt -noout -text