CA Certificate Creation and CSR signing
1. Create a new self-signed CA Certificate
1. Sign Certificates with the new CA

CA Certificate Creation and CSR signing

These steps will require the use of OpenSSL in a Linux environment. This can be achieved in Windows using Git Bash or the Linux subsystem.

Create a new self-signed CA Certificate

To create a new self-signed CA certificate:

First, create a basic configuration file:

$ touch ca.cnf

Then, add the following to it:

HOME = .

RANDFILE = $ENV::HOME/.rnd

####################################################################

[ ca ]

default_ca = CA_default # The default ca section

[ CA_default ]

base_dir = .

certificate = $base_dir/cacert.pem # The CA certifcate

private_key = $base_dir/cakey.pem # The CA private key

new_certs_dir = $base_dir # Location for new certs after signing

database = $base_dir/index.txt # Database index file

serial = $base_dir/serial.txt # The current serial number

unique_subject = no # Set to 'no' to allow creation of

# several certificates with same subject.

default_days = 365 # How long to certify for

default_crl_days = 30 # How long before next CRL

default_md = sha256 # Use public key default MD

preserve = no # Keep passed DN ordering

x509_extensions = ca_extensions # The extensions to add to the cert

email_in_dn = no # Don't concat the email in the DN

copy_extensions = copy # Required to copy SANs from CSR to cert

####################################################################

[ req ]

default_bits = 4096

default_keyfile = cakey.pem

distinguished_name = ca_distinguished_name

x509_extensions = ca_extensions

string_mask = utf8only

###################################################################

[ ca_distinguished_name ]

countryName = Country Name (2 letter code)

countryName_default = US

stateOrProvinceName = State or Province Name (full name)

stateOrProvinceName_default = VA

localityName = Locality Name (eg, city)

localityName_default = Herndon

organizationName = Organization Name (eg, company)

organizationName_default = Nuix

organizationalUnitName = Organizational Unit (eg, division)

organizationalUnitName_default = AdaptiveQA

commonName = Common Name (e.g. server FQDN or YOUR name)

commonName_default = TestCA

emailAddress = Email Address

emailAddress_default = testCA@nuix.com

###################################################################

[ signing_policy ]

countryName = optional

stateOrProvinceName = optional

localityName = optional

organizationName = optional

organizationalUnitName = optional

commonName = supplied

emailAddress = optional

####################################################################

[ signing_req ]

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid,issuer

basicConstraints = CA:true

keyUsage = digitalSignature, keyEncipherment

####################################################################

[ ca_extensions ]

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid:always, issuer

basicConstraints = critical, CA:true

keyUsage = keyCertSign, cRLSign

Execute the following.

$ openssl req -x509 -config ca.cnf -days 365 -newkey rsa:4096 -sha256 -nodes -out cacert.pem -outform PEM

After the command executes, cacert.pem is your certificate for CA operations, and cakey.pem is the private key. The private key does not have a password or passphrase.

You can view the certificate with the following:

$ openssl x509 -in cacert.pem -text -noout

Enter touch index.txt and serial.txt:

$ touch index.txt

$ echo '01' > serial.txt

Now that you have the CA certificate, import this into a trusted CA store. Convert the .pem certificate into the .cer certificate Windows format using the following command:

$ openssl x509 -outform der -in cacert.pem -out CA.cer

Now you can import the CA.cer file into a Windows certificate store.

Sign Certificates with the new CA

To sign certificates with the new CA:

The following command will sign your CSR requests.

$ openssl ca -config ca.cnf -policy signing_policy -extensions signing_req -out servercert.pem -infiles servercert.csr

You should see a response similar to the following:

Using configuration from ca.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName :PRINTABLE:'US'

stateOrProvinceName :ASN.1 12:'VA'

localityName :ASN.1 12:'Herndon'

commonName :ASN.1 12:'Adaptive QA'

emailAddress :IA5STRING:'test@nuix.com'

Certificate is to be certified until Oct 20 16:12:39 2016 GMT (1000 days)

Sign the certificate? [y/n]:Y

1 out of 1 certificate requests certified, commit? [y/n]Y

Write out database with 1 new entries

Data Base Updated

After the command executes, you will have a freshly minted server certificate in servercert.pem. The private key was created earlier and is available in serverkey.pem.

Inspect your freshly minted certificate with the following:

$ openssl x509 -in servercert.pem -text -noout

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 2 (0x2)

Signature Algorithm: sha256WithRSAEncryption

Issuer: C = US, ST = VA, L = Herndon, O = NUIX, OU = AdaptiveQA, CN = RootCA

Validity

Not Before: Jun 4 20:43:47 2024 GMT

Not After : Jun 4 20:43:47 2025 GMT

Subject: C = US, O = Example Co, CN = something.example.com

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public-Key: (2048 bit)

Modulus:

00:b7:8f:bd:a2:92:d5:ff:5d:77:1b:1b:bb:ac:32:

40:59:28:15:84:51:02:c4:93:79:b3:83:2e:be:84:

e2:87:c2:35:ba:ea:d1:bd:ae:c9:ab:5f:b8:08:c3:

61:41:29:dd:15:2c:cf:7a:c6:e7:bd:2f:0e:14:14:

ee:3e:5a:b9:be:a9:46:56:bf:86:0a:32:ba:2e:ec:

bf:21:68:9b:42:d4:0c:a1:09:f2:87:6e:e0:15:39:

6a:50:56:51:8c:63:ab:12:d2:05:14:4a:4b:44:68:

c5:3b:82:87:fc:3a:3b:2d:39:61:62:6b:ca:84:b2:

f3:b3:5f:11:6e:81:e2:d9:28:97:17:a7:87:49:20:

e5:78:cb:a1:a0:52:d9:7c:17:1c:c5:e7:fe:c5:9b:

3f:0e:e3:af:38:57:4a:bc:e8:62:d1:48:6b:d8:d3:

94:24:b4:42:f2:49:37:cd:35:50:0f:f7:7c:aa:a1:

7c:eb:97:44:d2:5f:e1:46:50:b4:b4:30:68:1f:4c:

98:50:e1:56:e1:47:cb:bb:23:2f:0c:42:65:04:9d:

ea:c6:48:b6:ba:6e:07:ae:7d:73:32:1e:da:5e:28:

7f:f6:84:47:18:a6:a0:dc:2e:e3:c3:e8:fd:d2:13:

ea:e1:fa:0c:8a:f7:27:4a:fb:c4:b8:76:33:18:ae:

2b:95

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Subject Key Identifier:

49:69:00:63:85:67:DB:CD:FD:BE:85:5F:7D:5D:EB:38:C6:D3:F4:25

X509v3 Authority Key Identifier:

keyid:14:64:AF:14:B2:3F:39:BB:CD:53:7C:95:E1:6F:36:D4:10:AE:2A:22

X509v3 Basic Constraints:

CA:FALSE

X509v3 Key Usage:

Digital Signature, Key Encipherment

X509v3 Extended Key Usage:

TLS Web Server Authentication

X509v3 Subject Alternative Name:

DNS:adaptive, DNS:localhost, DNS:WIN-GVC46H9RVO9, DNS:WIN-GVC46H9RVO9.hsd1.md.comcast.net, DNS:Nuix Endpoint Security CA, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP Address:10.0.0.165

Signature Algorithm: sha256WithRSAEncryption

6d:97:35:9d:11:14:c7:64:42:96:32:aa:a0:a0:ef:4c:00:3b:

45:7d:4d:70:e1:75:b4:3b:4e:15:f6:1d:0d:5d:2b:36:9e:2b:

a1:14:4f:16:10:6a:6d:44:04:4e:0e:80:16:ee:d1:8e:18:13:

6a:f2:f7:ec:0d:f7:96:51:b5:ae:22:98:8c:04:c8:af:d0:1e:

2c:72:fd:f9:ed:ac:84:fa:c4:2b:58:20:4d:a7:54:72:ed:f6:

53:8d:49:ba:fa:8f:f3:f9:05:59:50:61:9f:91:ea:8c:85:bb:

3d:2f:ea:4f:3e:cb:73:ae:20:2a:3c:36:0f:1a:6c:0b:ba:85:

2e:fa:9b:7b:e3:ab:f5:ec:48:67:db:2d:01:c7:61:0a:66:86:

15:9d:5d:7e:36:12:06:eb:49:e3:9d:4e:01:82:ea:7e:ab:48:

84:2b:eb:b1:2d:64:a9:f3:38:15:b5:70:53:91:4d:a7:1e:24:

09:1b:c7:65:4d:b0:da:f1:5e:68:ea:27:18:15:17:a8:d5:b9:

e9:43:70:bc:6e:c3:39:81:4e:aa:5c:29:0e:76:1f:9e:82:c4:

28:eb:c9:76:50:bd:67:80:96:93:40:9e:d9:8c:44:d7:c0:4f:

a7:d7:27:e2:84:fc:76:9c:e7:a8:54:d8:13:d2:7b:92:65:df:

80:6e:7c:6a:24:66:35:a1:06:b1:a9:cd:a2:3c:ff:ed:ef:ee:

a5:f6:89:5e:88:f2:ea:da:96:e4:17:eb:24:01:33:0f:e6:e2:

13:de:2b:ba:ac:c9:9a:85:a3:db:dd:dd:65:61:5d:c9:e3:76:

89:50:06:f2:dc:eb:15:bd:8c:82:05:f2:8e:00:4b:7d:29:38:

c8:99:f6:bd:15:5a:1f:03:a6:1c:45:ce:39:2b:78:e1:b6:17:

2a:8a:a7:13:25:97:49:08:b1:60:48:2c:42:27:65:18:32:32:

73:5d:b0:c8:6f:70:e1:b8:c1:8a:4d:4c:c2:90:77:6f:37:0b:

f8:5e:d5:18:05:71:32:f9:3a:48:d5:4b:77:f3:52:b8:c8:7a:

86:7b:cf:da:58:77:2c:15:e6:56:f5:1a:c0:df:a8:44:f3:e3:

f1:82:f5:21:0a:cb:51:21:0d:53:68:73:b8:7b:e9:85:e6:08:

80:54:9b:91:f8:b1:88:46:90:e9:01:57:51:0e:53:a0:0b:7b:

96:87:66:23:7b:b9:69:f0:18:4e:e5:b0:85:5f:01:f9:66:51:

55:48:26:e3:58:61:e0:80:c3:e7:2d:5e:e8:de:c1:94:ae:7e:

ab:3e:a9:a9:a2:8b:81:de:52:d0:03:c9:b8:aa:26:bf:68:bb:

d4:16:63:47:f0:ac:69:87

To import the new certificate into a Windows format convert it to .cer format using the following openssl command:

$openssl x509 -outform der -in servercert.pem -out server.cer

‎