Setting up a CA
editSetting up a CA
editTo set up a CA, generate a private and public key pair and build a certificate from the public key. This procedure uses OpenSSL to create the CA certificate and sign CSRs. First, set up a file structure and configuration template for the CA.
Creating the Certificate Authority
editCreate the ca
directory along with the private
, certs
, and conf
subdirectories, then populate the required
serial
and index.txt
files.
mkdir -p ca/private ca/certs ca/conf cd ca echo '01' > serial touch index.txt
A configuration template file specifies several configurations settings that cannot be passed from the command line. The following sample configuration file highlights fields of particular interest.
Create the ca/conf/caconfig.cnf
file with contents similar to the following:
#.................................. [ ca ] default_ca = CA_default [ CA_default ] copy_extensions = copy dir = /PATH/TO/YOUR/DIR/ca serial = $dir/serial database = $dir/index.txt new_certs_dir = $dir/certs certificate = $dir/certs/cacert.pem private_key = $dir/private/cakey.pem default_days = 712 default_md = sha256 preserve = no email_in_dn = no x509_extensions = v3_ca nameopt = default_ca certopt = default_ca policy = policy_match [ policy_match ] commonName = supplied emailAddress = optional [ req ] default_bits = 2048 # Size of keys default_keyfile = key.pem # name of generated keys default_md = sha256 # message digest algorithm string_mask = nombstr # permitted characters distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] # Variable name Prompt string #------------------------- ---------------------------------- 0.organizationName = Organization Name (company) organizationalUnitName = Organizational Unit Name (department, division) emailAddress = Email Address emailAddress_max = 40 localityName = Locality Name (city, district) stateOrProvinceName = State or Province Name (full name) countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 commonName = Common Name (hostname, IP, or your name) commonName_max = 64 # Default values for the above, for consistency and less typing. # Variable name Value #------------------------ ------------------------------ 0.organizationName_default = Elasticsearch Test Org localityName_default = Amsterdam stateOrProvinceName_default = Amsterdam countryName_default = NL emailAddress_default = cacerttest@YOUR.COMPANY.TLD [ v3_ca ] basicConstraints = CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always [ v3_req ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash
Copy extensions: Copies all X509 V3 extensions from a Certificate Signing Request into the signed certificate.
With the value set to |
|
CA directory: Add the full path to this newly created CA |
|
Certificate validity period: The default number of days that a certificate signed by this CA is valid for. Note the certificates signed by a CA must expire before the CA certificate expires. |
|
Certificate Defaults: The |