LibraryLink ToToggle FramesPrintFeedback

Set Up Your Own CA

This section describes how to set up your own private CA. Before setting up a CA for a real deployment, read the additional notes in Choosing a host for a private certification authority .

To set up your own CA, perform the following steps:

On the secure CA host, add the OpenSSL bin directory to your path:

Windows

> set PATH=OpenSSLDir\bin;%PATH%

UNIX

% PATH=OpenSSLDir/bin:$PATH; export PATH

This step makes the openssl utility available from the command line.

Create a new directory, X509CA, to hold the new CA. This directory is used to hold all of the files associated with the CA. Under the X509CA directory, create the following hierarchy of directories:

X509CA/ca
X509CA/certs
X509CA/newcerts
X509CA/crl

Copy the sample openssl.cnf from your OpenSSL installation to the X509CA directory.

Edit the openssl.cnf to reflect the directory structure of the X509CA directory, and to identify the files used by the new CA.

Edit the [CA_default] section of the openssl.cnf file to look like the following:

#############################################################
[ CA_default ]
    
dir        = X509CA            # Where CA files are kept
certs      = $dir/certs  # Where issued certs are kept
crl_dir    = $dir/crl          # Where the issued crl are kept
database   = $dir/index.txt    # Database index file
new_certs_dir = $dir/newcerts  # Default place for new certs
    
certificate   = $dir/ca/new_ca.pem # The CA certificate
serial        = $dir/serial        # The current serial number
crl           = $dir/crl.pem       # The current CRL
private_key   = $dir/ca/new_ca_pk.pem  # The private key
RANDFILE      = $dir/ca/.rand
# Private random number file

x509_extensions = usr_cert  # The extensions to add to the cert
...

You might decide to edit other details of the OpenSSL configuration at this point—for more details, see the OpenSSL documentation.

In the X509CA directory, initialize two files, serial and index.txt.

Windows

To initialize the serial file in Windows, enter the following command:

> echo 01 > serial

To create an empty file, index.txt, in Windows start Windows Notepad at the command line in the X509CA directory, as follows:

> notepad index.txt

In response to the dialog box with the text, Cannot find the text.txt file. Do you want to create a new file?, click Yes, and close Notepad.

UNIX

To initialize the serial file and the index.txt file in UNIX, enter the following command:

% echo "01" > serial
% touch index.txt

These files are used by the CA to maintain its database of certificate files.

[Note]Note

The index.txt file must initially be completely empty, not even containing white space.

Create a new self-signed CA certificate and private key with the following command:

openssl req -x509 -new -config X509CA/openssl.cnf -days 365 -out X509CA/ca/new_ca.pem -keyout X509CA/ca/new_ca_pk.pem

The command prompts you for a pass phrase for the CA private key and details of the CA distinguished name. For example:

Using configuration from X509CA/openssl.cnf
Generating a 512 bit RSA private key
....+++++
.+++++
writing new private key to 'new_ca_pk.pem'
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished
Name or a DN. There are quite a few fields but you can leave
some blank. For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:IE
State or Province Name (full name) []:Co. Dublin
Locality Name (eg, city) []:Dublin
Organization Name (eg, company) []:Progress
Organizational Unit Name (eg, section) []:Finance
Common Name (eg, YOUR name) []:Gordon Brown
Email Address []:gbrown@progress.com 
[Note]Note

The security of the CA depends on the security of the private key file and the private key pass phrase used in this step.

You must ensure that the file names and location of the CA certificate and private key, new_ca.pem and new_ca_pk.pem, are the same as the values specified in openssl.cnf (see the preceding step).

You are now ready to sign certificates with your CA.