nmz.me

This is my public notebook.

---

Project maintained by nicomz Hosted on GitHub Pages — Theme by mattgraham

Goals

The goal is to build a PKI scheme with a Root Certificate Authority and an Intermediate Certificate Authority.

I’ve gone through many projects where SSL / TLS Test Certificates, Code Signing, Mail Signatures or PDF Signatures were required.

Nowadays I’m looking for a test scenario with CRL / OCSP Working to get some PDF LTV enabled Signatures.

The whole solution is available at this GitHub repo

At least to try this, you need:

• OpenSSL

RootCA

As the PKI chains starts with a Root Authority. Let’s go.

First of all, we must build our directory structure.

There will be:

• a private directory to store “private” keys.
• a db directory to store our CA Database.
• a certs directory to store generated certificates

└── root-ca
    ├── certs
    ├── db
    └── private

Add the OpenSSL ROOT CA config file root-ca.conf

Create the private key of our Root Certificate Authority

openssl genrsa -aes256 -out root-ca/private/root-ca.key.pem 4096
chmod 400 root-ca/private/root-ca.key.pem

Create empty database files

touch ./root-ca/db/root-ca.db
touch ./root-ca/db/root-ca.db.attr
touch ./root-ca/db/root-ca.crt.srl
touch ./root-ca/db/root-ca.crl.srl
echo 00 > ./root-ca/db/root-ca.crt.srl
echo 00 > ./root-ca/db/root-ca.crl.srl

Important note: OpenSSL stores Serial Numbers as Hex (Blocks of two numbers).

Create the Certificate

openssl req -config root-ca.conf \
            -key root-ca/private/root-ca.key.pem \
            -new -x509 -days 7300 -sha256 -extensions root_ca_ext \
            -out root-ca/certs/root-ca.crt

Intermediate CA

Repeat directory structure for our Intermediate CA (int-ca) plus a directory for the Certificate Requests (csr)

├── root-ca
│   ├── certs
│   ├── db
│   └── private
└── int-ca
    ├── certs
    ├── csr
    ├── db
    └── private

Add the Intermediate CA configuration file int-ca.conf

Create the private key

openssl genrsa -aes256 -out int-ca/private/int-ca.key.pem 4096

Create the Certificate Request

openssl req -config ./int-ca.conf \
            -new -sha256 -key ./int-ca/private/int-ca.key.pem \
            -out ./int-ca/csr/int-ca.csr.pem

Sign the request to create the Intermiate Certificate (using root config file)

openssl ca -config root-ca.conf -extensions int_ca_ext \
        -days 7600 -notext -md sha256 \
        -in ./int-ca/csr/int-ca.csr.pem \
        -out ./int-ca/certs/int-ca.cert.pem

SSL/TLS Certificates

First of all, we must setup the TLS CSR config file

Sample bash script for CSR creation and certificate signature

#!/bin/bash
export SAN=DNS:$1
openssl req -new -config conf/TLS.conf -out int-ca/csr/$1.csr -keyout signing-ca/private/$1.key
openssl ca -config ./int-ca.conf -in ./int-ca/csr/$1.csr -out int-ca/certs/$1.crt -extensions server_ext

To call it just run

nicolas@sxm:~/dev/democa$ ./TLS.sh test.nmz.me

Output

nicolas@sxm:~/dev/democa$ ./TLS.sh test.nmz.me
Generating a RSA private key
...................................+++++
..............................................+++++
writing new private key to 'int-ca/private/test.nmz.me.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Domain Component         (eg, me)       []:me
2. Domain Component         (eg, nmz)   []:nmz
4. Organization Name        (eg, NMZ)   []:NMZ
5. Organizational Unit Name (eg, section)   []:test
6. Common Name              (eg, FQDN)      []:test.nmz.me
Using configuration from ./int-ca.conf
Enter pass phrase for ./int-ca/private/int-ca.key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Aug 13 00:34:12 2019 GMT
            Not After : Aug 12 00:34:12 2021 GMT
        Subject:
            domainComponent           = me
            domainComponent           = nmz
            organizationName          = NMZ
            organizationalUnitName    = test
            commonName                = test.nmz.me
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Key Identifier: 
                54:A2:35:D4:49:B9:67:2B:61:8F:16:08:85:B7:68:11:E4:21:A9:63
            X509v3 Authority Key Identifier: 
                keyid:6E:6B:78:7D:57:53:F0:86:CE:E8:C8:25:50:1A:ED:FB:2D:2D:60:6F

            X509v3 Subject Alternative Name: 
                DNS:test.nmz.me
Certificate is to be certified until Aug 12 00:34:12 2021 GMT (730 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

End User Certificates

This time, we must setup the EMAIL CSR config file

Sample bash script for CSR creation and certificate signature

#!/bin/bash
openssl req -new -config conf/EMAIL.conf -out int-ca/csr/$1.csr -keyout int-ca/private/$1.key
openssl ca -config ./int-ca.conf -in ./int-ca/csr/$1.csr -out int-ca/certs/$1.crt -extensions email_ext

To call it just run

nicolas@sxm:~/dev/democa$ ./EMAIL.sh email@adress.

Output

nicolas@sxm:~/dev/democa$ ./EMAIL.sh [email protected]
Generating a RSA private key
.....................................................+++++
........................................................................................+++++
writing new private key to 'int-ca/private/[email protected]'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Domain Component         (eg, com)       []:me  
2. Domain Component         (eg, company)   []:nmz
4. Organization Name        (eg, company)   []:NMZ
5. Organizational Unit Name (eg, section)   []:test
6. Common Name              (eg, full name) []:test
7. Email Address            (eg, name@fqdn) []:[email protected]
Using configuration from ./int-ca.conf
Enter pass phrase for ./int-ca/private/int-ca.key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Sep 30 23:43:36 2019 GMT
            Not After : Sep 29 23:43:36 2021 GMT
        Subject:
            domainComponent           = me
            domainComponent           = nmz
            organizationName          = NMZ
            organizationalUnitName    = test
            commonName                = test
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Extended Key Usage: 
                E-mail Protection, TLS Web Client Authentication
            X509v3 Subject Key Identifier: 
                C9:E8:1E:6B:BB:B2:AA:AF:5F:88:49:9F:FD:3F:B4:CC:A0:20:83:C0
            X509v3 Authority Key Identifier: 
                keyid:6E:6B:78:7D:57:53:F0:86:CE:E8:C8:25:50:1A:ED:FB:2D:2D:60:6F

            X509v3 Subject Alternative Name: 
                email:[email protected]
Certificate is to be certified until Sep 29 23:43:36 2021 GMT (730 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated