Build your own certificate issuing service (CA)

Build your own certificate issuing service (CA)

This series of articles is divided into three parts. It mainly introduces how to build your own certificate issuing service, generate certificate requests, and sign the generated certificate request through the self-built CA and finally apply it to the service.

By building your own certificate service, you can sign your own application certificate without buying the signature of the commercial certificate authority, however, the disadvantage of Self-authorization is that the client needs to import your root certificate before you can trust the certificate.

The following describes how to build your own CA on centos.

1. Build related directories and files

# Mkdir/home/cg/myca
# Cd/home/cg/myca/
# Mkdir private certs newcerts conf export csr
# Echo '01'> serial
# Touch index.txt


# Vim/home/cg/myca/conf/caconfig. cnf


Add the following content:
[Ca]
Default_ca = CA_default


[CA_default]
Dir =/home/cg/myca/
Certs = $ dir/certs
Crl_dir = $ dir/crl
Database = $ dir/index.txt
New_certs_dir = $ dir/newcerts
Certificate = $ dir/certs/cacert. pem
Serial = $ dir/serial
# Crl = $ dir/crl. pem
Private_key = $ dir/private/cakey. pem
# RANDFILE = $ dir/private/. rand
X509_extensions = usr_cert
# Crl_extensions = crl_ext
Default_days = 3650
# Default_startdate = YYMMDDHHMMSSZ
# Default_enddate = YYMMDDHHMMSSZ
# Default_crl_days = 30
# Default_crl_hours = 24
Default_md = sha1
Preserve = no
# Msie_hack
Policy = policy_match


[Policy_match]
CountryName = match
StateOrProvinceName = match
LocalityName = match
OrganizationName = match
OrganizationalUnitName = optional
CommonName = supplied
EmailAddress = optional


[Req]
Default_bits = 4096 # Size of keys
Default_keyfile = key. pem # name of generated keys
Distinguished_name = req_distinguished_name
Attributes = req_attributes
X509_extensions = v3_ca
# Input_password
# Output_password
String_mask = nombstr # permitted characters
Req_extensions = v3_req


[Req_distinguished_name]
CountryName = Country Name (2 letter code)
CountryName_default = US
CountryName_min = 2
CountryName_max = 2
StateOrProvinceName = State or Province Name (full name)
StateOrProvinceName_default = New York
LocalityName = Locality Name (city, district)
LocalityName_default = New York
OrganizationName = Organization Name (company)
OrganizationName_default = Code Ghar
OrganizationalUnitName = Organizational Unit Name (department, division)
OrganizationalUnitName_default = IT
CommonName = Common Name (hostname, FQDN, IP, or your name)
CommonName_max = 64
CommonName_default = CGIT
EmailAddress = Email Address
EmailAddress_max = 40
EmailAddress_default = codeghar@example.com


[Req_attributes]
# ChallengePassword = A challenege password
# ChallengePassword_min = 4
# ChallengePassword_max = 20
# UnstructuredName = An optional company name


[Usr_cert]
BasicConstraints = CA: FALSE
SubjectKeyIdentifier = hash
AuthorityKeyIdentifier = keyid, issuer: always
# NsComment = ''openssl Generated Certificate''
# NsCertType = client, email, objsign for ''everything including object signing''
SubjectAltName = email: copy
IssuerAltName = issuer: copy
# NsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
# NsBaseUrl =
# Nsenewalurl =
# Nscapoicyurl =
# NsSslServerName =


[V3_req]
BasicConstraints = CA: FALSE
KeyUsage = nonRepudiation, digitalSignature, keyEncipherment


[V3_ca]
SubjectKeyIdentifier = hash
AuthorityKeyIdentifier = keyid: always, issuer: always
BasicConstraints = CA: TRUE
# KeyUsage = cRLSign, keyCertSign
# NsCertType = sslCA, emailCA
# SubjectAltName = email: copy
# IssuerAltName = issuer: copy
# Obj = DER: 02: 03


[Crl_ext]
# IssuerAltName = issuer: copy
AuthorityKeyIdentifier = keyid: always, issuer: always


2. Generate the root certificate:

Openssl req-new-x509-days 3650-config conf/caconfig. cnf-keyform PEM-keyout private/key. ca. cg. pem-outform PEM-out certs/crt. ca. cg. pem

The key. ca. cg. pem and crt. ca. cg. pem files are stored in the $ dir/private and $ dir/certs directories.


3. Check that the root certificate is correct.


Openssl x509-in certs/crt. ca. cg. pem-inform pem-noout-text


5. Export the root certificate


Export to PKCS12 format, which can be automatically installed by clicking on the windows System


Openssl pkcs12-export-out export/ca. cg. p12-in certs/crt. ca. cg. pem-inkey private/key. ca. cg. pem


To windows, double-click ca. cg. p12 to install the SDK as prompted.