Skip to content

Installing CA with OpenSSL CA Certificate

Endi S. Dewata edited this page Sep 14, 2023 · 1 revision

Table of Contents

Overview

This document describes the process to install PKI CA with a CA certificate generated by OpenSSL.

Generating CA Key

Generate a new key with the following command:

$ openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
.......+++
....................................................+++
e is 65537 (0x10001)

Generating CA Certificate Request

Generate a CA certificate request with the key with the following command:

$ openssl req -key ca.key -nodes -new -out ca.csr -subj "/CN=CA Certificate/O=Example" -days 365

Verify the CA certificate request:

$ openssl req -text -noout -in ca.csr
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=CA Certificate, O=Example
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b4:13:a9:01:fa:ed:9a:6c:50:b2:cc:48:0e:ff:
                    02:30:fb:1a:fd:78:27:55:cc:4c:2f:b7:84:c3:45:
                    f3:a9:83:a9:6e:53:5b:1b:f8:f1:cc:ce:cd:8d:be:
                    17:69:48:62:2d:78:04:f2:09:6f:5b:27:7a:4c:bb:
                    12:46:0a:0c:b3:99:bb:18:66:aa:f0:2a:f4:5a:62:
                    9d:ff:51:19:76:31:cc:3c:97:24:35:d1:11:b7:d1:
                    79:41:ae:23:27:b2:40:ec:91:df:3e:26:d3:0d:e4:
                    c9:9b:48:6c:bb:f3:82:d0:8f:f9:f8:42:2d:ae:76:
                    36:55:44:1d:f3:55:19:58:2d:84:b0:fd:3b:f1:de:
                    4c:7f:c5:92:1d:e4:6e:fa:41:2d:83:d3:ae:3b:4c:
                    1c:ce:5e:c6:76:f7:c8:80:b3:13:0c:6a:75:e9:1e:
                    fe:60:e1:9e:fc:9f:cb:89:53:04:4b:f1:0b:4c:c0:
                    0e:22:c0:37:34:d3:23:8e:d0:95:4f:07:1e:31:e0:
                    aa:08:9b:fe:a7:28:d7:5d:fc:01:a4:fc:cb:5e:f8:
                    dd:5c:ff:c7:94:c7:35:ed:66:54:b1:ce:4a:ea:6b:
                    4e:b6:9e:16:24:2a:9a:8c:41:56:13:d0:84:5f:6c:
                    69:80:cc:08:0a:1d:fc:f8:cc:df:9b:11:b4:1c:31:
                    bd:23
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         3f:58:89:8a:73:7a:41:c8:30:d0:17:08:d4:44:80:09:33:ba:
         90:f0:fa:9c:a4:6f:ff:a5:26:b6:d7:15:8e:05:39:a1:8b:2d:
         a9:69:9b:20:3f:50:f0:53:60:ae:ad:31:43:4f:c9:af:ae:49:
         fb:5c:98:ac:ed:80:c9:1f:44:e5:3a:bc:0f:8b:e5:fe:e9:b7:
         e5:c5:a3:c4:b9:1e:60:b4:58:da:8a:3f:b2:fe:68:82:36:0a:
         b3:ec:3c:88:be:e8:7b:f5:68:14:f4:72:7d:9c:37:3b:ae:20:
         a0:d4:63:66:ac:02:14:94:df:17:35:93:82:c9:63:07:e7:14:
         b6:b7:8e:95:7a:c8:20:18:11:d1:34:b6:26:c8:45:05:36:5f:
         71:7b:ff:c6:02:23:2a:fc:44:a9:d7:c4:25:a4:5c:02:a1:69:
         7d:19:73:41:b1:13:c7:b4:02:13:1d:da:22:56:bb:25:8e:36:
         5e:45:c9:b6:d5:61:13:16:7f:11:28:16:f7:d6:63:8f:d5:11:
         77:6a:b6:e3:cd:ae:5c:7b:61:6e:da:7f:a3:e0:28:a3:26:3b:
         c0:e3:a1:3c:2c:68:cc:dd:d0:d7:99:f2:98:9f:44:e3:9b:a0:
         7f:fe:38:1c:c1:b2:39:55:35:17:5c:33:59:fd:c9:24:4a:e0:
         57:5d:2f:34

Generating CA Certificate

Generate the CA certificate using the existing key with the following command:

$ openssl req -x509 -new -key ca.key -nodes -out ca.crt -subj "/CN=CA Certificate/O=Example" -days 365 -set_serial 1

Note: If you use a different serial number, specify the same value in hex in pki_serial_number_range_start deployment parameter (see Serial Number Ranges).

Verify the CA certificate:

$ openssl x509 -text -noout -in ca.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            e3:f2:b3:50:ed:cd:87:5c
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=CA Certificate, O=Example
        Validity
            Not Before: Jun 13 22:57:13 2016 GMT
            Not After : Jun 13 22:57:13 2017 GMT
        Subject: CN=CA Certificate, O=Example
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b4:13:a9:01:fa:ed:9a:6c:50:b2:cc:48:0e:ff:
                    02:30:fb:1a:fd:78:27:55:cc:4c:2f:b7:84:c3:45:
                    f3:a9:83:a9:6e:53:5b:1b:f8:f1:cc:ce:cd:8d:be:
                    17:69:48:62:2d:78:04:f2:09:6f:5b:27:7a:4c:bb:
                    12:46:0a:0c:b3:99:bb:18:66:aa:f0:2a:f4:5a:62:
                    9d:ff:51:19:76:31:cc:3c:97:24:35:d1:11:b7:d1:
                    79:41:ae:23:27:b2:40:ec:91:df:3e:26:d3:0d:e4:
                    c9:9b:48:6c:bb:f3:82:d0:8f:f9:f8:42:2d:ae:76:
                    36:55:44:1d:f3:55:19:58:2d:84:b0:fd:3b:f1:de:
                    4c:7f:c5:92:1d:e4:6e:fa:41:2d:83:d3:ae:3b:4c:
                    1c:ce:5e:c6:76:f7:c8:80:b3:13:0c:6a:75:e9:1e:
                    fe:60:e1:9e:fc:9f:cb:89:53:04:4b:f1:0b:4c:c0:
                    0e:22:c0:37:34:d3:23:8e:d0:95:4f:07:1e:31:e0:
                    aa:08:9b:fe:a7:28:d7:5d:fc:01:a4:fc:cb:5e:f8:
                    dd:5c:ff:c7:94:c7:35:ed:66:54:b1:ce:4a:ea:6b:
                    4e:b6:9e:16:24:2a:9a:8c:41:56:13:d0:84:5f:6c:
                    69:80:cc:08:0a:1d:fc:f8:cc:df:9b:11:b4:1c:31:
                    bd:23
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                1E:35:27:32:D9:A9:77:8E:A0:CB:5E:FC:9B:9C:F1:15:AA:B5:BF:9E
            X509v3 Authority Key Identifier:
                keyid:1E:35:27:32:D9:A9:77:8E:A0:CB:5E:FC:9B:9C:F1:15:AA:B5:BF:9E

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         7a:35:3c:b2:c1:80:6c:d1:c9:c5:c2:45:a3:cf:72:7e:73:01:
         7b:d8:9d:65:77:9e:19:dc:16:f0:be:8a:f8:1b:fc:27:ed:93:
         4a:92:04:69:a7:50:83:cb:22:66:e4:9a:57:4f:75:bb:fa:1f:
         c1:48:36:f4:47:9d:c8:e5:74:24:29:d5:98:8e:e2:bc:9f:45:
         e3:41:c8:0f:dc:23:e8:86:5c:87:49:7b:59:1b:f9:60:78:90:
         78:1d:2a:78:c5:7e:77:4a:b1:06:73:e0:24:df:6d:a5:5c:b0:
         85:84:31:f1:0c:dd:2c:67:5a:4b:32:e8:5b:81:19:57:10:f8:
         e7:a7:5a:01:4a:d4:dc:a4:1c:c1:ea:ef:b1:2c:8a:d2:bf:28:
         b1:c8:72:6b:cb:c9:d2:90:bd:bc:80:bf:a2:44:a6:17:5b:e8:
         eb:ca:5a:50:7b:87:88:0b:68:6a:e5:5d:b2:cd:57:87:bf:31:
         30:33:d0:fd:bf:93:40:ee:e9:7e:12:98:5e:0f:45:cb:2a:53:
         4d:46:21:8e:f3:07:38:8e:ee:a4:72:1a:b3:fe:bf:41:35:bf:
         bd:e3:f9:9c:14:b5:72:62:f6:46:1a:54:01:da:b3:45:63:07:
         1b:13:d5:11:a7:9b:13:f1:d1:b7:6d:28:e4:57:49:e9:99:12:
         e8:e3:5d:93

Import CA Certificate and Key into PKCS #12 File

Import the CA certificate and key into a PKCS #12 file with the following command:

$ echo Secret.123 > password.txt
$ openssl pkcs12 -export -in ca.crt -inkey ca.key -out ca.p12 -name "CA Certificate" -passout file:password.txt

Initialize an NSS database for the pki utility:

$ pki -c Secret.123 client-init

Set the trust flags for the CA certificate:

$ pki pkcs12-cert-mod --pkcs12-file ca.p12 "CA Certificate" --pkcs12-password-file password.txt --trust-flags "CTu,Cu,Cu"

Note: make sure there are no spaces in the trust flags.

Verify with the following commands:

$ pki pkcs12-cert-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt
---------------
1 entries found
---------------
  Certificate ID: 9311084d08b37d12e856b904b7e52eb3b1cece4a
  Serial Number: 0xe3f2b350edcd875c
  Nickname: CA Certificate
  Subject DN: O=Example,CN=CA Certificate
  Issuer DN: O=Example,CN=CA Certificate
  Trust Flags: CTu,Cu,Cu
  Has Key: true

$ pki pkcs12-key-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt
---------------
1 entries found
---------------
  Key ID: 9311084d08b37d12e856b904b7e52eb3b1cece4a
  Subject DN: CA Certificate
  Algorithm: RSA

Installing PKI CA

Prepare a deployment configuration file:

[CA]
pki_admin_email=caadmin@example.com
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password=Secret.123
pki_admin_uid=caadmin

pki_client_database_password=Secret.123
pki_client_database_purge=False
pki_client_pkcs12_password=Secret.123

pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
pki_ds_database=ca
pki_ds_password=Secret.123

pki_security_domain_name=EXAMPLE

pki_token_password=Secret.123

pki_existing=True
pki_ca_signing_nickname=CA Certificate
pki_ca_signing_csr_path=/tmp/ca.csr
pki_pkcs12_path=/tmp/ca.p12
pki_pkcs12_password=Secret.123

Start the installation with the following command:

$ pkispawn -v -f ca.cfg -s CA
Clone this wiki locally