opensslx509

OpenSSL as a CA without touching the certs/crl/index/etc environment


I think I have the right OpenSSL command to sign a certificate but I've gotten stuck and the tutorials I've found use a different argument format (I'm using OpenSSL 0.9.8o 01 Jun 2010).

openssl ca -cert cert.pem -keyfile key.pem

(Private key is not encryped and CSR is on stdin.)

It gives this error

Using configuration from /usr/lib/ssl/openssl.cnf
./demoCA/index.txt: No such file or directory
unable to open './demoCA/index.txt'

Looking at that configuration file:

[ ca ]
default_ca = CA_default    # The default ca section

[ CA_default ]
dir      = ./demoCA        # Where everything is kept
certs    = $dir/certs      # Where the issued certs are kepp
crl_dir  = $dir/crl        # Where the issued crl are kept
database = $dir/index.txt  # database index file.

I don't have any of this set up. I don't want to set any of this up.

Is it strictly nessecary, or is there a "don't bother" option?

I tried creating empty directories and files but I've got in a tangle. What I really want is for a command like the above to work, with the output on stdout, without touching anything on the filesystem.


Solution

  • I don't know of any "don't bother" options, but here is how you can setup a quick demo CA:

    #!/bin/bash
    CAROOT=/path/to/ca
    mkdir -p ${CAROOT}/ca.db.certs   # Signed certificates storage
    touch ${CAROOT}/ca.db.index      # Index of signed certificates
    echo 01 > ${CAROOT}/ca.db.serial # Next (sequential) serial number
    
    # Configuration
    cat>${CAROOT}/ca.conf<<'EOF'
    [ ca ]
    default_ca = ca_default
    
    [ ca_default ]
    dir = REPLACE_LATER
    certs = $dir
    new_certs_dir = $dir/ca.db.certs
    database = $dir/ca.db.index
    serial = $dir/ca.db.serial
    RANDFILE = $dir/ca.db.rand
    certificate = $dir/ca.crt
    private_key = $dir/ca.key
    default_days = 365
    default_crl_days = 30
    default_md = md5
    preserve = no
    policy = generic_policy
    [ generic_policy ]
    countryName = optional
    stateOrProvinceName = optional
    localityName = optional
    organizationName = optional
    organizationalUnitName = optional
    commonName = supplied
    emailAddress = optional
    EOF
    
    sed -i "s|REPLACE_LATER|${CAROOT}|" ${CAROOT}/ca.conf
    
    cd ${CAROOT}
    
    # Generate CA private key
    openssl genrsa -out ca.key 1024
    
    # Create Certificate Signing Request
    openssl req -new -key ca.key  \
                     -out ca.csr       
    
    # Create self-signed certificate
    openssl x509 -req -days 10000 \
                  -in ca.csr      \
                  -out ca.crt     \
                  -signkey ca.key
    

    Now you can generate and sign keys:

    # Create private/public key pair
    openssl genrsa -out server.key 1024
    
    # Create Certificate Signing Request
    openssl req -new -key server.key \
                     -out server.csr
    
    # Sign key
    openssl ca -config ${CAROOT}/ca.conf   \
               -in server.csr              \
               -cert ${CAROOT}/ca.crt      \
               -keyfile ${CAROOT}/ca.key   \
               -out server.crt