A configuration file is required to define the basic operation of OpenSSL. It is possible to use the system config file or a configuration file may be specified on the command line while working with OpenSSL commands. The later approach was chosen. Next step is the creation of a basic OpenSSL configuration file that will be used to create the certificates.
- Create a file openssl.cnf
$ touch openssl.cnf - Edit the created configuration file and add some content
HOME = /srv/pki[ ca ]
default_ca = CA-default[ CA-default ]
dir = $HOME/CA-root
RANDFILE = $HOME/.rand
database = $dir/index.txt
serial = $dir/serial
private_key=$dir/ca.key
certificate = $dir/ca.crt
new_certs_dir = $dir/new_certs
certs = $dir/certs
policy = policy_match_root
x509_extensions = extension_root_cert[ policy_match_root ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional[ extension_root_cert ]
basicConstraints = CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always - Create a rand file .rnd
$ openssl rand -out .rnd -base64 2048
- Create Diffie hellman parameter file dh2048
$ openssl dhparam -out dh2048.pem 2048
- Create private key and selfsigned certificate for the Root CA
$ openssl req -new -x509 -config openssl.cnf -days 3650 -set_serial 0 -newkey rsa:2048 -out CA-root/ca.crt -keyout CA-root/ca.key
- View the Root CA certificate created in the previous step
$ openssl x509 -in CA-root/ca.crt -noout -text