|The Open–source PKI Book: A guide to PKIs and Open–source Implementations|
|Prev||Chapter 4. General implementation overview||Next|
Here we describe the initialisation phase of the CA. This takes place once. Special care is needed for the protection of the CA's private key.
The following examples require the OpenSSL software installed on your workstation. Also, it is recommended to have the directory that the openssl application resides, in your PATH environment variable. Possible locations for the openssl application are /usr/local/ssl/bin/ or /usr/bin/.
Use this command to generate the RSA key–pair:
CA_Admin% openssl genrsa –des3 –out ca.key 2048
the openssl component to generate an RSA key–pair,
the symmetric algorithm to encrypt the key–pair,
the filename to store the key–pair,
size of RSA modulus in bits.
Executing the above command, the user is presented with the following information
1112 semi-random bytes loaded Generating RSA private key, 2048 bit long modulus .+++++ ......................................................+++++ e is 65537 (0x10001) Enter PEM pass phrase: enter the pass–phrase here Verifying password - Enter PEM pass phrase: re–enter the pass–phrase here
This creates an RSA key pair which is stored in the file ca.key. This key pair is encrypted with 3DES using a password supplied by the user during key generation. The N in RSA (the product of the two prime numbers) is 2048 bits long. For brevity, we say that we use 2048-bit RSA.
A sample key–pair, encrypted with a pass–phrase, can be found at the Section called Sample Encrypted Private Key in PEM format (2048 bits) in Appendix B. This same key–pair without the pass–phrase encryption is at the Section called Sample Private Key in PEM format (2048 bits) in Appendix B. The decoded version of the same key can be found at the Section called Sample Private Key in TXT format (2048 bits) in Appendix B.
In order to get a self–signed CA Certificate, we need to sign the CA's certificate request with the corresponding private key. The resulting Certificate has the X.509 structure.
CA_Admin% openssl req –new –x509 –days 365 –key ca.key –out ca.crt
the openssl component to generate a certificate request,
this is a new certificate,
generate an X.509 certificate,
the time in days that the certificate will be valid, counting from now,
the key–pair file to be used,
the filename that the new certificate will be written onto
Executing the above command presents this dialogue:
Using configuration from /usr/local/ssl/openssl.cnf Enter PEM pass phrase: enter the pass–phrase here You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:GB State or Province Name (full name) [Some-State]:Surrey Locality Name (eg, city) :. Organization Name (eg, company) [Internet Widgits Pty Ltd]: Best CA Ltd Organizational Unit Name (eg, section) :Class 1 Public Primary Certification Authority Common Name (eg, YOUR name) :Best CA Ltd Email Address :. CA_Admin%
This creates a self–signed certificate, called ca.crt. It is valid for 365 days from the date of generation. In this step, the CA Administrator has to enter the X.509 details of the CA Root Certificate.
A sample CA Certificate, in PEM format, can be found at the Section called Sample CA Certificate in PEM format in Appendix B. The TXT or human–readable of the same Certificate can be found at the Section called Sample CA Certificate in TXT format in Appendix B.