Initialisation of the Certification Authority
Here we describe the initialisation phase of the CA. This takes place once. Special care is needed for the protection of the CA's private key.
 | The following examples require the OpenSSL software installed on your workstation. Also, it is recommended to have the directory that the openssl application resides, in your PATH environment variable. Possible locations for the openssl application are /usr/local/ssl/bin/ or /usr/bin/. |
Generate the RSA key–pair for the CA
Use this command to generate the RSA key–pair:
CA_Admin% openssl genrsa –des3 –out ca.key 2048
Parameters
- genrsa
the openssl component to generate an RSA key–pair,
- -des3
the symmetric algorithm to encrypt the key–pair,
- -out ca.key
the filename to store the key–pair,
- 2048
size of RSA modulus in bits.
Executing the above command, the user is presented with the following information
1112 semi-random bytes loaded Generating RSA private key, 2048 bit long modulus .+++++ ......................................................+++++ e is 65537 (0x10001) Enter PEM pass phrase: enter the pass–phrase here Verifying password - Enter PEM pass phrase: re–enter the pass–phrase here |
This creates an RSA key pair which is stored in the file ca.key. This key pair is encrypted with 3DES using a password supplied by the user during key generation. The N in RSA (the product of the two prime numbers) is 2048 bits long. For brevity, we say that we use 2048-bit RSA.
A sample key–pair, encrypted with a pass–phrase, can be found at the Section called Sample Encrypted Private Key in PEM format (2048 bits) in Appendix B. This same key–pair without the pass–phrase encryption is at the Section called Sample Private Key in PEM format (2048 bits) in Appendix B. The decoded version of the same key can be found at the Section called Sample Private Key in TXT format (2048 bits) in Appendix B.
Create a self–signed CA Certificate
In order to get a self–signed CA Certificate, we need to sign the CA's certificate request with the corresponding private key. The resulting Certificate has the X.509 structure.
CA_Admin% openssl req –new –x509 –days 365 –key ca.key –out ca.crt
Parameters
- req
the openssl component to generate a certificate request,
- -new
this is a new certificate,
- -x509
generate an X.509 certificate,
- -days 365
the time in days that the certificate will be valid, counting from now,
- -key ca.key
the key–pair file to be used,
- -out ca.crt
the filename that the new certificate will be written onto
Executing the above command presents this dialogue:
Using configuration from /usr/local/ssl/openssl.cnf
Enter PEM pass phrase: enter the pass–phrase here
You are about to be asked to enter information that will be
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished
Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:Surrey
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Best CA Ltd
Organizational Unit Name (eg, section) []:Class 1 Public Primary Certification Authority
Common Name (eg, YOUR name) []:Best CA Ltd
Email Address []:.
CA_Admin% |
This creates a self–signed certificate, called ca.crt. It is valid for 365 days from the date of generation. In this step, the CA Administrator has to enter the X.509 details of the CA Root Certificate.
A sample CA Certificate, in PEM format, can be found at the Section called Sample CA Certificate in PEM format in Appendix B. The TXT or human–readable of the same Certificate can be found at the Section called Sample CA Certificate in TXT format in Appendix B.