A/I Orange Book (1.0): An how-to for the realization of a resilient network of self-managed servers
PrevNext

Chapter 7. Certification Authority

For the management of the various SSL connection of users on servers, we have considered it useful to create our own Certification Authority: with it we can sign all the SSL certificates used by the servers and make them easily verifiable by users and servers alike.

Since we needed to implement some non-trivial features (as the possibility of having certificates valid for several different names on a single server), we have added this chapter to the documentation, detailing a short how-to others could find useful.

7.1. Initial Configuration

We will use the /opt/ca directory as a place where to keep and manage certificates: 

	$ export CADIR=/opt/ca
	$ mkdir -p $CADIR
Then we have to create the directory structure and some files needed by a CA: 
	$ mkdir $CADIR/certs
	$ mkdir $CADIR/conf
	$ mkdir $CADIR/crls
	$ mkdir $CADIR/ext
	$ mkdir $CADIR/newcerts
	$ mkdir $CADIR/private
	$ chmod g-rwx,o-rwx private
	$ echo '01' > serial
	$ > index
The serial file will include the next serial to be used, while the index file is a database of all the references to the certificate signed by the CA.

Now we have to create a basic configuration for our CA, for example the one used as a default by OpenSSL in our Debian sarge distribution in /etc/ssl/openssl.cnf.

Our CA will use the /opt/ca/conf/ca.conf configuration file. To have openssl use it correctly without constantly having to specifying it in the command line, we can simply export it in the OPENSSL_CONF variable. 

	$ export OPENSSL_CONF=$CADIR/conf/aica.conf

The content of the ca.conf is as follow: 

RANDFILE                = $ENV::CADIR/.random

[ ca ]
default_ca              = CA_default

[ CA_default ]
dir                     = $ENV::CADIR
certs                   = $dir/certs
crl_dir                 = $dir/crl
database                = $dir/index
new_certs_dir           = $dir/newcerts
certificate             = $dir/ca.pem
serial                  = $dir/serial
crl                     = $dir/crl.pem
private_key             = $dir/private/ca.key
x509_extensions         = certificate_extensions
email_in_dn             = no
default_days            = 3643
default_crl_days        = 31
default_md              = sha1
preserve                = yes
policy                  = policy_match

[ policy_match ]
countryName             = supplied
organizationName        = supplied
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = supplied

[ policy_anything ]
countryName             = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
default_bits            = 4096
default_md              = sha1
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions         = v3_ca
string_mask = nombstr

[ req_distinguished_name ]
countryName                     = Country Name
countryName_default             = IT
countryName_min                 = 2
countryName_max                 = 2
0.organizationName              = Organization Name
0.organizationName_default      = Intra.Org
organizationalUnitName          = Organizational Unit Name
organizationalUnitName_default  =
commonName                      = Common Name
commonName_max                  = 64
emailAddress                    = Email Address
emailAddress_max                = 60
emailAddress_default            = ca@infra.org
SET-ex3                         = SET extension number 3

[ req_attributes ]

[ certificate_extensions ]

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = critical, CA:true
keyUsage = cRLSign, keyCertSign
nsCertType = sslCA, emailCA, objCA
nsComment = "InfraCA"
subjectAltName=email:copy
issuerAltName=issuer:copy

PrevHomeNext
Script CA creation