Configuration of OpenSSL

Author
By Darío Rivera
Posted On in OpenSSL
Spanish

The first thing you need to do is create a file preferably in the OPENSSLDIR, since that is where the default openssl configuration should be. To find out the default openssl directory you can run the following command:

# openssl version -a | grep OPENSSLDIR
OPENSSLDIR: "/usr/lib/ssl"

Configuration for generating a CSR

The file you are going to create could be called custom_openssl.cnf. Once you have done this, you must define which fields will be asked for in the creation of a CSR (Certificate Signing Request). You could, for example, request that only the country be requested in the creation of the CSR, then the minimum configuration you would need would be the following:

[ req ]
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
countryName = Country Name (2 letter code)

When creating a CSR along with a private key from this file, we could use the following command:

sudo openssl req -new -keyout userkey.pem -out usercert-req.pem -config custom_openssl.cnf

And we would get an output like the following:

Generating a RSA private key
...........+++++
.............+++++
writing new private key to 'userkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:CO

As you can see, only the country has been requested. When creating the CSR, you can verify the information to be signed in the Subject with the following command:

# openssl req -text -in usercert-req.pem  -noout | grep Subject:
Subject: C = CO

Since we have seen a little how the CSR creation process works and the necessary fields, we are going to define a more complete configuration about what a CSR should contain.

[ req_distinguished_name ]
countryName                    = Country Name (2 letter code)
countryName_default            = CO
countryName_min                = 2
countryName_max                = 2

stateOrProvinceName            = State or Province Name (full name)
localityName                   = Locality Name (eg, city)
organizationalUnitName         = Organizational Unit Name (eg, section)

commonName                     = Common Name (eg, YOUR name)
commonName_max                 = 64

emailAddress                   = Email Address
emailAddress_max               = 40

When creating a CSR with this configuration, all these fields will be requested in the console.

-----
Country Name (2 letter code) [CO]:CO
State or Province Name (full name) []:Antioquia
Locality Name (eg, city) []:Medellin
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, YOUR name) []:pleets.org
Email Address []:noreply@pleets.org

It turns out that some fields such as the name of the organization can be found more than once in the same request. That is why a number is usually indicated before this type of fields and you may encounter the following:

[ req_distinguished_name ]
0.OrganizationName             = Organization Name (eg, company)

Note that we have omitted all other fields for simplicity. If you wanted to add another organization name you could easily do the following:

[ req_distinguished_name ]
0.organizationName             = Organization Name 1 (eg, company)
1.organizationName             = Organization Name 2 (eg, company)

Usually it is not necessary to add more than one organization. If you try to create a CSR with this configuration, you will see something like the following:

-----
Country Name (2 letter code) [CO]:CO
State or Province Name (full name) []:Antioquia
Locality Name (eg, city) []:Medellin
Organization Name 1 (eg, company) []:Alphabet
Organization Name 2 (eg, company) []:Google
Organizational Unit Name (eg, section) []:Technology
Common Name (eg, YOUR name) []:google.com
Email Address []:noreply@google.com

Configuration for signing a certificate

To sign a certificate, we must create some openssl configuration files.

sudo mkdir ca_company
sudo touch ca_company/database.txt
sudo touch ca_company/database.txt.attr
sudo echo "C001" > ca_company/serial.txt
sudo mkdir ca_company/newcerts

The database.txt file will contain the database of all created certificates. The serial.txt file will save the last consecutive generated for a certificate, and the newcerts folder will store the new certificates generated.

The next step is to create a certificate with which we will sign the other certificates (self-signed certificate)

sudo openssl req -new -x509 -keyout ca_company/cakey.pem -out ca_company/cacert.pem -days 3650

Finally, we must add the following to the configuration of the openssl file to be used.

[ ca ]
default_ca = ca_company

[ ca_company ]
dir             =./ca_company
new_certs_dir   = $dir/newcerts
database        = $dir/database.txt
certificate     = $dir/cacert.pem
private_key     = $dir/cakey.pem
serial          = $dir/serial.txt
default_md      = sha256
policy          = policy_match
default_days    = 365

[ policy_match ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

To sign, we can use the following command:

sudo openssl ca -in usercert.pem -out output.cert -config openssl.cnf

Acerca de Darío Rivera

Author

Application Architect at Elentra Corp . Quality developer and passionate learner with 10+ years of experience in web technologies. Creator of EasyHttp , an standard way to consume HTTP Clients.

LinkedIn Twitter Instagram

Sólo aquellos que han alcanzado el éxito saben que siempre estuvo a un paso del momento en que pensaron renunciar.

Categories