OpenSSL certificate authority

Using OpenSSL as a Certificate Authority - ported from my old wiki. See also my OpenSSL certficiates in a nutshell post for client-level certficiate handling.

With any of the openssl ca commands add -name <name of ca section> to the command (unless using a default):

openssl ca -name SomeCA -config conf/MyCA.cnf ...

Day-to-day usage

Signing a certificate

This is by far the easiest bit:

CN="SomeCN"
CA="SomeCA"
 
# Always verify the certificate request and make sure there's nothing dangerous, like someone trying to trick you into signing a CA certificate
openssl req -verify -text -noout -in "csr/$CN.csr"
 
openssl ca -name "ca_intermediate_$CA" -notext -out "certs/$CA/$CN.pem" -config "conf/openssl.cnf" -infiles "csr/$CN.csr"

Revoke a certificate

CN="SomeCN"
CA="SomeCA"
 
openssl ca -name "ca_intermediate_$CA" -revoke "certs/$CA/$CN.pem" -crl_reason unspecified -config "conf/openssl.cnf"
rm "certs/$CA/$CN.pem"

Where crl_reason can be one of:

• unspecified
• keyCompromise
• CACompromise
• affiliationChanged
• superseded
• cessationOfOperation
• certificateHold
• removeFromCRL

Generating the CRL

Again, dead easy:

CA="SomeCA"
openssl ca -name "ca_intermediate_$CA" -config conf/openssl.cnf -gencrl -out crl/$CA.crl.pem

Setup

See OpenSSL CA Setup