Creating Root SSL Authority with OpenSSL

1. Create directory structure

mkdir certificates private_keys
echo '100001' >serial
touch certindex.txt

 

2. Create some default openssl.cnf file

#
# OpenSSL configuration file.
#
 
# Establish working directory.
 
dir                                     = .
 
[ ca ]
default_ca                              = CA_default
 
[ CA_default ]
serial                                  = $dir/serial
database                                = $dir/certindex.txt
new_certs_dir                           = $dir/certs
certificate                             = $dir/cacert.pem
private_key                             = $dir/private/cakey.pem
default_days                            = 365
default_md                              = md5
preserve                                = no
email_in_dn                             = no
nameopt                                 = default_ca
certopt                                 = default_ca
policy                                  = policy_match
 
[ policy_match ]
countryName                             = match
stateOrProvinceName                     = match
organizationName                        = match
organizationalUnitName                  = optional
commonName                              = supplied
emailAddress                            = optional
 
[ req ]
default_bits                            = 2048                  # Size of keys
default_keyfile                         = key.pem               # name of generated keys
default_md                              = md5                           # message digest algorithm
string_mask                             = nombstr               # permitted characters
distinguished_name                      = req_distinguished_name
req_extensions                          = v3_req
 
[ req_distinguished_name ]
# Variable name                         Prompt string
#-------------------------        ----------------------------------
0.organizationName                      = Organization Name (company)
organizationalUnitName                  = Organizational Unit Name (department, division)
emailAddress                            = Email Address
emailAddress_max                        = 40
localityName                            = Locality Name (city, district)
stateOrProvinceName                     = State or Province Name (full name)
countryName                             = Country Name (2 letter code)
countryName_min                         = 2
countryName_max                         = 2
commonName                              = Common Name (hostname, IP, or your name)
commonName_max                          = 64
 
# Default values for the above, for consistency and less typing.
# Variable name                         Value
#------------------------         ------------------------------
0.organizationName_default              = BugBears
emailAddress_default                    = ChaneMe@example.com
localityName_default                    = Sofia
stateOrProvinceName_default             = Sofia
countryName_default                     = BG
commonName_default                      = gryzli.info
 
[ v3_ca ]
basicConstraints                        = CA:TRUE
subjectKeyIdentifier                    = hash
authorityKeyIdentifier                  = keyid:always,issuer:always
 
[ v3_req ]
basicConstraints                        = CA:FALSE
subjectKeyIdentifier                    = hash

 

3. Create Key and CSR (Certificate Sign Request)

3.1 Create the CSR & Key

openssl req -new -nodes -out openvpn-csr.pem -keyout private_keys/openvpn_key.pem -config ./openssl.cnf

 

3.2 Sign the CSR and issue the certificate

openssl ca -out certificates/openvpn.cert -config ./openssl.cnf -infiles openvpn-csr.pem

 

References:

How to setup a Certificate Authority

Create Root Certificate

Creating and using SSL certificates (deep info)