Certificate & TLS: Becoming Custom(or Own) Root Certificate Authority

Image result for root certificate

Image: https://qph.fs.quoracdn.net/main-qimg-f2d9af77cbca3c6bc42bdd31437a7d6c

Objective

  • Becoming organization/private PKI provider
  • Shared rootCA certificate to be trusted by client.

Creating a Root Certificate Authority

1. Create your root CA RSA key (ensure to protect this key using strong password, higher bits and strong ciphers)

#> mkdir root-ca
#> openssl genrsa -aes128 -out rootCA.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
......................................................................++++
.........................................................................................................................................................................................++++
e is 65537 (0x010001)
Enter pass phrase for rootCA.key:
Verifying - Enter pass phrase for rootCA.key:

2. Now create the rootCA certificate:

#> openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
Enter pass phrase for rootCA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:MY
State or Province Name (full name) []:Sepang
Locality Name (eg, city) [Default City]:Selangor
Organization Name (eg, company) [Default Company Ltd]:Bytewise 
Organizational Unit Name (eg, section) []:SecOps
Common Name (eg, your name or your server's hostname) []:RootCA
Email Address []:[email protected]
#> openssl x509 -in rootCA.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            1e:35:2c:98:f6:c7:0c:46:cd:2a:a3:10:29:4b:20:1d:c5:f1:da:1b
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = MY, ST = Sepang, L = Selangor, O = Bytewise, OU = SecOps, CN = RootCA, emailAddress = [email protected]
        Validity
            Not Before: Mar 10 08:44:06 2020 GMT
            Not After : Dec 29 08:44:06 2022 GMT
        Subject: C = MY, ST = Sepang, L = Selangor, O = Bytewise, OU = SecOps, CN = RootCA, emailAddress = [email protected]
        Subject Public Key Info:
######## TRUNCATED ########

Now you have the root authority certificate ready, lets do an example of how we can sign a CSR with this new root CA certificate.

Signing using the Root CA

1. To ask certificate authority to sign our certificate, we must generate CSR (Certificate Signing Request). CSR is being generated from certificate key. The result of the CSR signing is your client certificate(usually in PEM format and .crt prefix).

The RSA key generated below is purely for example purpose. For production use, secure with AES256, strong password and higher bit than 2048.

2. To start generating CSR, let`s create certificate key (the private part of your certificate infrastructure, need to be secured and well protected):

#> mkdir www.bytewise.my
#> cd www.bytewise.my/
#> openssl genrsa  -out bytewise.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...............................................+++++
.........................................................................................................................................................................+++++
e is 65537 (0x010001)

3. Now lets create a configuration file for the CSR so we can provide this configuration during CSR creation.

#> cat bytewise.cnf 
[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt =  no
[ req_distinguished_name ]
countryName                 = MY
stateOrProvinceName         = Selangor
localityName               = Sepang
organizationName           = Bytewise
commonName                 = www.bytewise.my
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.bytewise.my

4. Now let`s generate the CSR to be signed using our newly created rootCA.

#> openssl req -new -key bytewise.key -out bytewise.csr -reqexts req_ext -config bytewise.cnf 
#> openssl req -in bytewise.csr -noout -text
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = MY, ST = Selangor, L = Sepang, O = Bytewise, CN = www.bytewise.my
###### TRUNCATED ######
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name: 
                DNS:www.bytewise.my
###### TRUNCATED ######

5. Now let`s sign this with the rootCA we just created:

#> openssl x509 -req -in bytewise.csr -CA ../rootCA.crt -CAkey ../rootCA.key -CAcreateserial -out bytewise.crt -days 365 -sha256 -extensions req_ext -extfile bytewise.cnf
Signature ok
subject=C = MY, ST = Selangor, L = Sepang, O = Bytewise, CN = www.bytewise.my
Getting CA Private Key
Enter pass phrase for ../rootCA.key:
#> openssl x509 -in bytewise.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            76:10:7b:ff:b1:7f:05:ee:36:01:ea:5e:97:19:35:fd:3a:f5:bf:d1
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = MY, ST = Sepang, L = Selangor, O = Bytewise, OU = SecOps, CN = RootCA, emailAddress = [email protected]
        Validity
            Not Before: Mar 10 09:06:05 2020 GMT
    ###### TRUNCATED ######
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:www.bytewise.my
    ###### TRUNCATED ######

6. Let see if we can validate the certificate with the root CA chain:

#> openssl verify -CAfile ../rootCA.crt  bytewise.crt 
bytewise.crt: OK

Summary

Now we should distribute rootCA.crt into browser or other client to get bytewise.csr validated and trusted. Having connection secured with TLS with strong encryption is essentials for defending organization infrastructure and system from attacker.

Cover Image : https://unsplash.com/@diesektion

Muhammad Aizuddin Zali

Red Hat APAC-SEATH Senior Platform Consultant for OpenShift.

You may also like...

%d bloggers like this: