6.2. Creating local certificates

Procedure

1. Create a directory where you can generate the certificate, for example:

   # mkdir /tmp/ca
   # cd /tmp/ca

2. Set up the certificate (copy this text to your command line in the ca directory):

   # cat > ca.cnf <<EOF
   [ ca ]
   default_ca = CA_default
   
   [ CA_default ]
   dir              = .
   database         = \$dir/index.txt
   new_certs_dir    = \$dir/newcerts
   
   certificate      = \$dir/rootCA.crt
   serial           = \$dir/serial
   private_key      = \$dir/rootCA.key
   RANDFILE         = \$dir/rand
   
   default_days     = 365
   default_crl_days = 30
   default_md       = sha256
   
   policy           = policy_any
   email_in_dn      = no
   
   name_opt         = ca_default
   cert_opt         = ca_default
   copy_extensions  = copy
   
   [ usr_cert ]
   authorityKeyIdentifier = keyid, issuer
   
   [ v3_ca ]
   subjectKeyIdentifier   = hash
   authorityKeyIdentifier = keyid:always,issuer:always
   basicConstraints       = CA:true
   keyUsage               = critical, digitalSignature, cRLSign, keyCertSign
   
   [ policy_any ]
   organizationName       = supplied
   organizationalUnitName = supplied
   commonName             = supplied
   emailAddress           = optional
   
   [ req ]
   distinguished_name = req_distinguished_name
   prompt             = no
   
   [ req_distinguished_name ]
   O  = Example
   OU = Example Test
   CN = Example Test CA
   EOF

3. Create the following directories:

   # mkdir certs crl newcerts

4. Create the following files:

   # touch index.txt crlnumber index.txt.attr

5. Write the number 01 in the serial file:

   # echo 01 > serial

   This command writes a number 01 in the serial file. It is a serial number of the certificate. With each new certificate released by this CA the number increases by one.

6. Create an OpenSSL root CA key:

   # openssl genrsa -out rootCA.key 2048

7. Create a self-signed root Certification Authority certificate:

   # openssl req -batch -config ca.cnf \ -x509 -new -nodes -key rootCA.key -sha256 -days 10000 \ -set_serial 0 -extensions v3_ca -out rootCA.crt

8. Create the key for your username:

   # openssl genrsa -out example.user.key 2048

   This key is generated in the local system which is not secure, therefore, remove the key from the system when the key is stored in the card.

   You can create a key directly in the smart card as well. For doing this, follow instructions created by the manufacturer of your smart card.

9. Create the certificate signing request configuration file (copy this text to your command line in the ca directory):

   # cat > req.cnf <<EOF
   [ req ]
   distinguished_name = req_distinguished_name
   prompt = no
   
   [ req_distinguished_name ]
   O = Example
   OU = Example Test
   CN = testuser
   
   [ req_exts ]
   basicConstraints = CA:FALSE
   nsCertType = client, email
   nsComment = "testuser"
   subjectKeyIdentifier = hash
   keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
   extendedKeyUsage = clientAuth, emailProtection, msSmartcardLogin
   subjectAltName = otherName:msUPN;UTF8:testuser@EXAMPLE.COM, email:testuser@example.com
   EOF

10. Create a certificate signing request for your example.user certificate:

    # openssl req -new -nodes -key example.user.key \ -reqexts req_exts -config req.cnf -out example.user.csr

11. Configure the new certificate. Expiration period is set to 1 year:

    # openssl ca -config ca.cnf -batch -notext \ -keyfile rootCA.key -in example.user.csr -days 365 \ -extensions usr_cert -out example.user.crt

    At this point, the certification authority and certificates are successfully generated and prepared for import into a smart card.