Installing CA with OpenSSL CA Certificate - dogtagpki/pki GitHub Wiki
This document describes the process to install PKI CA with a CA certificate generated by OpenSSL.
Generate a new key with the following command:
$ openssl genrsa -out ca.key 2048 Generating RSA private key, 2048 bit long modulus .......+++ ....................................................+++ e is 65537 (0x10001)
Generate a CA certificate request with the key with the following command:
$ openssl req -key ca.key -nodes -new -out ca.csr -subj "/CN=CA Certificate/O=Example" -days 365
Verify the CA certificate request:
$ openssl req -text -noout -in ca.csr Certificate Request: Data: Version: 0 (0x0) Subject: CN=CA Certificate, O=Example Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b4:13:a9:01:fa:ed:9a:6c:50:b2:cc:48:0e:ff: 02:30:fb:1a:fd:78:27:55:cc:4c:2f:b7:84:c3:45: f3:a9:83:a9:6e:53:5b:1b:f8:f1:cc:ce:cd:8d:be: 17:69:48:62:2d:78:04:f2:09:6f:5b:27:7a:4c:bb: 12:46:0a:0c:b3:99:bb:18:66:aa:f0:2a:f4:5a:62: 9d:ff:51:19:76:31:cc:3c:97:24:35:d1:11:b7:d1: 79:41:ae:23:27:b2:40:ec:91:df:3e:26:d3:0d:e4: c9:9b:48:6c:bb:f3:82:d0:8f:f9:f8:42:2d:ae:76: 36:55:44:1d:f3:55:19:58:2d:84:b0:fd:3b:f1:de: 4c:7f:c5:92:1d:e4:6e:fa:41:2d:83:d3:ae:3b:4c: 1c:ce:5e:c6:76:f7:c8:80:b3:13:0c:6a:75:e9:1e: fe:60:e1:9e:fc:9f:cb:89:53:04:4b:f1:0b:4c:c0: 0e:22:c0:37:34:d3:23:8e:d0:95:4f:07:1e:31:e0: aa:08:9b:fe:a7:28:d7:5d:fc:01:a4:fc:cb:5e:f8: dd:5c:ff:c7:94:c7:35:ed:66:54:b1:ce:4a:ea:6b: 4e:b6:9e:16:24:2a:9a:8c:41:56:13:d0:84:5f:6c: 69:80:cc:08:0a:1d:fc:f8:cc:df:9b:11:b4:1c:31: bd:23 Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha256WithRSAEncryption 3f:58:89:8a:73:7a:41:c8:30:d0:17:08:d4:44:80:09:33:ba: 90:f0:fa:9c:a4:6f:ff:a5:26:b6:d7:15:8e:05:39:a1:8b:2d: a9:69:9b:20:3f:50:f0:53:60:ae:ad:31:43:4f:c9:af:ae:49: fb:5c:98:ac:ed:80:c9:1f:44:e5:3a:bc:0f:8b:e5:fe:e9:b7: e5:c5:a3:c4:b9:1e:60:b4:58:da:8a:3f:b2:fe:68:82:36:0a: b3:ec:3c:88:be:e8:7b:f5:68:14:f4:72:7d:9c:37:3b:ae:20: a0:d4:63:66:ac:02:14:94:df:17:35:93:82:c9:63:07:e7:14: b6:b7:8e:95:7a:c8:20:18:11:d1:34:b6:26:c8:45:05:36:5f: 71:7b:ff:c6:02:23:2a:fc:44:a9:d7:c4:25:a4:5c:02:a1:69: 7d:19:73:41:b1:13:c7:b4:02:13:1d:da:22:56:bb:25:8e:36: 5e:45:c9:b6:d5:61:13:16:7f:11:28:16:f7:d6:63:8f:d5:11: 77:6a:b6:e3:cd:ae:5c:7b:61:6e:da:7f:a3:e0:28:a3:26:3b: c0:e3:a1:3c:2c:68:cc:dd:d0:d7:99:f2:98:9f:44:e3:9b:a0: 7f:fe:38:1c:c1:b2:39:55:35:17:5c:33:59:fd:c9:24:4a:e0: 57:5d:2f:34
Generate the CA certificate using the existing key with the following command:
$ openssl req -x509 -new -key ca.key -nodes -out ca.crt -subj "/CN=CA Certificate/O=Example" -days 365 -set_serial 1
Note: If you use a different serial number, specify the same value in hex in pki_serial_number_range_start deployment parameter (see Serial Number Ranges).
Verify the CA certificate:
$ openssl x509 -text -noout -in ca.crt Certificate: Data: Version: 3 (0x2) Serial Number: e3:f2:b3:50:ed:cd:87:5c Signature Algorithm: sha256WithRSAEncryption Issuer: CN=CA Certificate, O=Example Validity Not Before: Jun 13 22:57:13 2016 GMT Not After : Jun 13 22:57:13 2017 GMT Subject: CN=CA Certificate, O=Example Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b4:13:a9:01:fa:ed:9a:6c:50:b2:cc:48:0e:ff: 02:30:fb:1a:fd:78:27:55:cc:4c:2f:b7:84:c3:45: f3:a9:83:a9:6e:53:5b:1b:f8:f1:cc:ce:cd:8d:be: 17:69:48:62:2d:78:04:f2:09:6f:5b:27:7a:4c:bb: 12:46:0a:0c:b3:99:bb:18:66:aa:f0:2a:f4:5a:62: 9d:ff:51:19:76:31:cc:3c:97:24:35:d1:11:b7:d1: 79:41:ae:23:27:b2:40:ec:91:df:3e:26:d3:0d:e4: c9:9b:48:6c:bb:f3:82:d0:8f:f9:f8:42:2d:ae:76: 36:55:44:1d:f3:55:19:58:2d:84:b0:fd:3b:f1:de: 4c:7f:c5:92:1d:e4:6e:fa:41:2d:83:d3:ae:3b:4c: 1c:ce:5e:c6:76:f7:c8:80:b3:13:0c:6a:75:e9:1e: fe:60:e1:9e:fc:9f:cb:89:53:04:4b:f1:0b:4c:c0: 0e:22:c0:37:34:d3:23:8e:d0:95:4f:07:1e:31:e0: aa:08:9b:fe:a7:28:d7:5d:fc:01:a4:fc:cb:5e:f8: dd:5c:ff:c7:94:c7:35:ed:66:54:b1:ce:4a:ea:6b: 4e:b6:9e:16:24:2a:9a:8c:41:56:13:d0:84:5f:6c: 69:80:cc:08:0a:1d:fc:f8:cc:df:9b:11:b4:1c:31: bd:23 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 1E:35:27:32:D9:A9:77:8E:A0:CB:5E:FC:9B:9C:F1:15:AA:B5:BF:9E X509v3 Authority Key Identifier: keyid:1E:35:27:32:D9:A9:77:8E:A0:CB:5E:FC:9B:9C:F1:15:AA:B5:BF:9E X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption 7a:35:3c:b2:c1:80:6c:d1:c9:c5:c2:45:a3:cf:72:7e:73:01: 7b:d8:9d:65:77:9e:19:dc:16:f0:be:8a:f8:1b:fc:27:ed:93: 4a:92:04:69:a7:50:83:cb:22:66:e4:9a:57:4f:75:bb:fa:1f: c1:48:36:f4:47:9d:c8:e5:74:24:29:d5:98:8e:e2:bc:9f:45: e3:41:c8:0f:dc:23:e8:86:5c:87:49:7b:59:1b:f9:60:78:90: 78:1d:2a:78:c5:7e:77:4a:b1:06:73:e0:24:df:6d:a5:5c:b0: 85:84:31:f1:0c:dd:2c:67:5a:4b:32:e8:5b:81:19:57:10:f8: e7:a7:5a:01:4a:d4:dc:a4:1c:c1:ea:ef:b1:2c:8a:d2:bf:28: b1:c8:72:6b:cb:c9:d2:90:bd:bc:80:bf:a2:44:a6:17:5b:e8: eb:ca:5a:50:7b:87:88:0b:68:6a:e5:5d:b2:cd:57:87:bf:31: 30:33:d0:fd:bf:93:40:ee:e9:7e:12:98:5e:0f:45:cb:2a:53: 4d:46:21:8e:f3:07:38:8e:ee:a4:72:1a:b3:fe:bf:41:35:bf: bd:e3:f9:9c:14:b5:72:62:f6:46:1a:54:01:da:b3:45:63:07: 1b:13:d5:11:a7:9b:13:f1:d1:b7:6d:28:e4:57:49:e9:99:12: e8:e3:5d:93
Import the CA certificate and key into a PKCS #12 file with the following command:
$ echo Secret.123 > password.txt $ openssl pkcs12 -export -in ca.crt -inkey ca.key -out ca.p12 -name "CA Certificate" -passout file:password.txt
Initialize an NSS database for the pki utility:
$ pki -c Secret.123 client-init
Set the trust flags for the CA certificate:
$ pki pkcs12-cert-mod --pkcs12-file ca.p12 "CA Certificate" --pkcs12-password-file password.txt --trust-flags "CTu,Cu,Cu"
Note: make sure there are no spaces in the trust flags.
Verify with the following commands:
$ pki pkcs12-cert-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt --------------- 1 entries found --------------- Certificate ID: 9311084d08b37d12e856b904b7e52eb3b1cece4a Serial Number: 0xe3f2b350edcd875c Nickname: CA Certificate Subject DN: O=Example,CN=CA Certificate Issuer DN: O=Example,CN=CA Certificate Trust Flags: CTu,Cu,Cu Has Key: true $ pki pkcs12-key-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt --------------- 1 entries found --------------- Key ID: 9311084d08b37d12e856b904b7e52eb3b1cece4a Subject DN: CA Certificate Algorithm: RSA
Prepare a deployment configuration file:
[CA] [email protected] pki_admin_name=caadmin pki_admin_nickname=caadmin pki_admin_password=Secret.123 pki_admin_uid=caadmin pki_client_database_password=Secret.123 pki_client_database_purge=False pki_client_pkcs12_password=Secret.123 pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com pki_ds_database=ca pki_ds_password=Secret.123 pki_security_domain_name=EXAMPLE pki_token_password=Secret.123 pki_existing=True pki_ca_signing_nickname=CA Certificate pki_ca_signing_csr_path=/tmp/ca.csr pki_pkcs12_path=/tmp/ca.p12 pki_pkcs12_password=Secret.123
Start the installation with the following command:
$ pkispawn -v -f ca.cfg -s CA