Project title: Implement Certificate Authority(CA) for

Ambo University Web Server

Introduction
In this project I am going to implemetn a self signed certificate authority for Ambo University.
Currently, Ambo University has branch campuses. Each branch campuses has virtual private
networks and its own server. The main objective of this project is that to create a CA to be deployed
into the main server which is found in the main campus and then all the clients associated with the
main server has to be request a certificate and to be signed by a root certificate.

1. Creating the necessary directories

First of all we will create a directory tree where all certificate stuff will be kept. If you are
first time user for Linux platform you will be able to study basic Linux command to do the
this.
I have started my project by assuming that you are familiar with Linux based operating
system and basic Linux commands.
Therefor, my first step is just creating the necessary directory structure to keep all our
certificate stuff. Before that we have to open terminal and change the current working
directory into Desktop to see our directory.
elsi@kali:~$ cd Desktop
elsi@kali:~/Desktop$

Then create all necessary directory on the Desktop.

elsi@kali:~/Desktop$ mkdir myCA

Change to myCA

elsi@kali:~/Desktop$ cd myCA

Create the following directories inside myCA directory

elsi@kali:~/Desktop/myCA$ mkdir certs crl newcerts private

elsi@kali:~/Desktop/myCA$ ls -l
total 16
drwxr-xr-x 2 elsi elsi 4096 Jan 29 17:49 certs

1
drwxr-xr-x 2 elsi elsi 4096 Jan 29 17:49 crl
drwxr-xr-x 2 elsi elsi 4096 Jan 29 17:49 newcerts
drwxr-xr-x 2 elsi elsi 4096 Jan 29 17:49 private

myCA is our Certificate Authoritys directory.

myCA/certs directory is where our server certificates will be placed.

myCA/newcerts directory is where openssl puts the created certificates in PEM
(unencrypted) format and in the form cert_serial_number.pem (eg 07.pem).
Openssl needs this directory, so we create it.
myCA/crl is where our certificate revocation list is placed.
myCA/private is the directory where our private keys are placed. Be sure that you
set restrictive permissions to all your private keys so that they can be read only by
root, or the user with whose privileges a server runs. If anyone steals your private
keys, then things get really bad.

Initial openssl configuration

We are going to copy the default openssl configuration file (openssl.cnf) to our CAs
directory. In Linux /Ubuntu distribution, this file exists in /etc/ssl/. So, we copy it to our
CAs directory and name it openssl.my.cnf.
elsi@kali:~/Desktop/CA/myCA$ cp /etc/ssl/openssl.cnf
/home/elsi/Desktop/CA/myCA/openssl.my.cnf

the directory /home/elsi/ is the users of our system and /home/elsi/Desktop/ directory is
the location where our CAs files will be stored. This may be different in your computer,
here is my user-name and my CAs directory. Normally I have created to the users Desktop
to easily identify where my CAs directory is located. But you may be create your own CAs
into different directory. So, be careful when you are creating your CAs. Dont copy this
directly. If you have little bit knowledge about Linux command that is better.

We also need to create two other files. This file serves as a database for openssl:

elsi@kali:~/Desktop/CA/myCA$ touch index.txt

2
The following file contains the next certificates serial number. Since we have not created
any certificates yet, we set it to "01":

elsi@kali:~/Desktop/CA/myCA$ echo '01'> serial

We need to configure the default openssl.my.cnf that we have copied previously as

following. Make sure you declare the directory you choose earlier.

[ CA_default ]
# Directory and file locations.
dir = /myCA
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand

# The root key and root certificate.

private_key = $dir/private/ca.key.pem
certificate = $dir/certs/ca.cert.pem

# For certificate revocation lists.

crlnumber = $dir/crlnumber
crl = $dir/crl/ca.crl.pem
crl_extensions = crl_ext
default_crl_days = 30

[ policy_strict ]

# The root CA should only sign intermediate certificates that match.

# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

Well apply policy_loose for all intermediate CA signatures, as the intermediate CA is

signing server and client certificates that may come from a variety of third-parties.
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional

3
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

Options from the [ req ] section are applied when creating certificates or certificate signing
requests.
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only

# SHA-1 is deprecated, so use SHA-2 instead.

default_md = sha256

# Extension to add when the -x509 option is used.

x509_extensions = v3_ca

The [ req_distinguished_name ] section declares the information normally required in a

certificate signing request. You can optionally specify some defaults.

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = ET
stateOrProvinceName = Ethiopia
localityName = Ambo
0.organizationName = Ambo University
organizationalUnitName = Public Institute
commonName = AU
emailAddress = dtechane6@gmail.com

# Optionally, specify some defaults.

countryName_default = ET
stateOrProvinceName_default = Ethiopia
localityName_default =
0.organizationName_default = Ambo University
#organizationalUnitName_default =
#emailAddress_default =

The next section, we will create the root certificate. First we have to generate both private
key using aes256 and along with 4096 key size.

4
elsi@kali:~/Desktop/CA/myCA$ openssl genrsa -aes256 -out private/ca.key.pem 4096
Generating RSA private key, 4096 bit long modulus
..................++
...........++
e is 65537 (0x10001)
Enter pass phrase for private/ca.key.pem:
Verifying - Enter pass phrase for private/ca.key.pem:

Create root certificate

elsi@kali:~/Desktop/CA/myCA$ openssl req -config openssl.my.cnf -key

private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem
Enter pass phrase for private/ca.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter &apos;.&apos;, the field will be left blank.
-----
ET [ET]:
Ethiopia [Ethiopia]:
Ambo []:
Ambo University [Ambo University]:
Organizational Unit Name (eg, section) []:Government University
AU []:
dtechane6@gmail.com []:

Verifying the root certificate

elsi@kali:~/Desktop/CA/myCA$ openssl x509 -noout -text -in certs/ca.cert.pem

So the output will shows

the Signature Algorithm used

the dates of certificate Validity

the Public-Key bit length
the Issuer, which is the entity that signed the certificate
the Subject, which refers to the certificate itself

Now we have done the root certificate. The next step is create the intermediate
certificate.

5
Create the intermediate certificate

An intermediate certificate authority (CA) is an entity that can sign certificates on behalf of
the root CA. The root CA signs the intermediate certificate, forming a chain of trust.
The purpose of using an intermediate CA is primarily for security. The root key can be kept
offline and used as infrequently as possible. If the intermediate key is compromised, the root
CA can revoke the intermediate certificate and create a new intermediate cryptographic pair.
We have to create directory inside myCA , name it as intermediate and then change
our current working directory to intermediate.

elsi@kali:~/Desktop/CA/myCA$ mkdir intermediate

elsi@kali:~/Desktop/CA/myCA$ cd intermediate

we have to Create the same directory structure used for the root CA files. Its convenient to
also create a csr directory to hold certificate signing requests.

elsi@kali:~/Desktop/CA/myCA/intermediate$ mkdir certs crl csr newcerts private

we will add a crlnumber file to the intermediate CA directory tree. crlnumber is used to
keep track of certificate revocation lists.

elsi@kali:~/Desktop/CA/myCA/intermediate$ echo &apos;01&apos;>crlnumber

Copy the intermediate CA configuration file from myCA directory to

myCA/intermediate/openssl.my.cnf. Five options have been changed compared to the root
CA configuration file:

elsi@kali:~/Desktop/CA/myCA$ cp openssl.my.cnf intermediate/openssl.my.cnf

[ CA_default ]
dir = /myCA/intermediate
private_key = $dir/private/intermediate.key.pem
certificate = $dir/certs/intermediate.cert.pem
crl = $dir/crl/intermediate.crl.pem
policy = policy_loose

Create the intermediate key

We are going to create the intermediate key (intermediate.key.pem). Encrypt the
intermediate key with AES 256-bit encryption along with key size(it much enough key size
4096) and a strong password.

6
elsi@kali:~/Desktop/CA/myCA/intermediate$ openssl genrsa -aes256 \
> -out private/intermediate.key.pem 4096
Generating RSA private key, 4096 bit long modulus
........................++
...........................................++
e is 65537 (0x10001)
Enter pass phrase for private/intermediate.key.pem:
Verifying - Enter pass phrase for private/intermediate.key.pem:

Create the intermediate certificate

Use the intermediate key to create a certificate signing request (CSR). The details should
generally match the root CA. The Common Name, however, must be different.

elsi@kali:~/Desktop/CA/myCA/intermediate$ openssl req -config openssl.my.cnf -new

-sha256 -key private/intermediate.key.pem -out csr/intermediate.csr.pem
Enter pass phrase for private/intermediate.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter &apos;.&apos;, the field will be left blank.
-----
ET [ET]:
Ethiopia [Ethiopia]:
Ambo []:
Ambo University [Ambo University]:
Organizational Unit Name (eg, section) []:Government University
AU []:AU intermediate authority
dtechane6@gmail.com []:

Please enter the following &apos;extra&apos; attributes

to be sent with your certificate request
A challenge password []:12345
An optional company name []:

To create an intermediate certificate, use the root CA with the v3_intermediate_ca extension
to sign the intermediate CSR. The intermediate certificate should be valid for a shorter
period than the root certificate. Ten years would be reasonable.

elsi@kali:~/Desktop/CA/myCA$ openssl ca -config openssl.my.cnf -extensions

v3_intermediate_ca -days 3650 -notext -md sha256 -in
intermediate/csr/intermediate.csr.pem -out intermediate/certs/intermediate.cert.pem
Using configuration from openssl.my.cnf
Enter pass phrase for ./private/ca.key.pem:

7
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jan 30 15:23:27 2017 GMT
Not After : Jan 28 15:23:27 2027 GMT
Subject:
countryName = ET
stateOrProvinceName = Ethiopia
organizationName = Ambo University
organizationalUnitName = Goverment University
commonName = AU intermediate authority
X509v3 extensions:
X509v3 Subject Key Identifier:
56:86:AB:B0:A4:77:66:A1:96:AE:24:83:FF:46:97:4E:47:61:A2:8F
X509v3 Authority Key Identifier:
keyid:53:CA:51:90:79:9F:6D:FA:65:3C:B9:40:4F:C6:C4:2F:78:3C:80:64

X509v3 Basic Constraints: critical

CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Certificate is to be certified until Jan 28 15:23:27 2027 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries
Data Base Updated

Verify the intermediate certificate

As we did for the root certificate, check that the details of the intermediate certificate are
correct.
elsi@kali:~/Desktop/CA/myCA$ openssl x509 -noout -text -in
intermediate/certs/intermediate.cert.pem

Create the certificate chain file

When an application (eg, a web browser) tries to verify a certificate signed by the
intermediate CA, it must also verify the intermediate certificate against the root certificate.
To complete the chain of trust, create a CA certificate chain to present to the application.
To create the CA certificate chain, concatenate the intermediate and root certificates
together. We will use this file later to verify certificates signed by the intermediate CA.

8
elsi@kali:~/Desktop/CA/myCA$ cat intermediate/certs/intermediate.cert.pem \
> certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem

Sign server and client certificates

We will be signing certificates using our intermediate CA. You can use these signed
certificates in a variety of situations, such as to secure connections to a web server or to
authenticate clients connecting to a service.

The first step is create the key

If youre creating a cryptographic pair for use with a web server (eg, Apache webserevr),
youll need to enter this password every time you restart the web server. You may want to
omit the -aes256 option to create a key without a password.

elsi@kali:~/Desktop/CA/myCA$ openssl genrsa -aes256 \

> -out intermediate/private/www.ambou.edu.et.key.pem 4096
Generating RSA private key, 4096 bit long modulus
................++
.....................++
e is 65537 (0x10001)
Enter pass phrase for intermediate/private/www.ambou.edu.et.key.pem:
Verifying - Enter pass phrase for intermediate/private/www.ambou.edu.et.key.pem:
elsi@kali:~/Desktop/CA/myCA$

Create a certificate
Use the private key to create a certificate signing request (CSR). The CSR details dont need to
match the intermediate CA. For server certificates, the Common Name must be a fully qualified
domain name (eg, www.ambou.edu.et), whereas for client certificates it can be any unique
identifier (eg, an e-mail address). Note that the Common Name cannot be the same as either your
root or intermediate certificate.

elsi@kali:~/Desktop/CA/myCA$ openssl req -config intermediate/openssl.my.cnf

-key intermediate/private/www.ambou.edu.et.key.pem -new -sha256 -out
intermediate/csr/www.ambou.edu.et.csr.pem
Enter pass phrase for intermediate/private/www.ambou.edu.et.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter &apos;.&apos;, the field will be left blank.
-----
ET [ET]:
Ethiopia [Ethiopia]:
Ambo []:
Ambo University [Ambo University]:
Gevernment Organization []:

9
AU []:www.ambou.edu.et
dtechane6@gmail.com []:

Please enter the following &apos;extra&apos; attributes

to be sent with your certificate request
A challenge password []:12345
An optional company name []:AUIOT

To create a certificate, use the intermediate CA to sign the CSR. If the certificate is going to be used
on a server, use the server_cert extension. If the certificate is going to be used for user
authentication, use the usr_cert extension. Certificates are usually given a validity of one year,
though a CA will typically give a few days extra for convenience.

elsi@kali:~/Desktop/CA/myCA$ cd intermediate
elsi@kali:~/Desktop/CA/myCA/intermediate$

elsi@kali:~/Desktop/CA/myCA/intermediate$ openssl ca -config openssl.my.cnf

-extensions server_cert -days 375 -notext -md sha256 -in csr/www.ambou.edu.et.csr.pem
-out certs/www.ambou.edu.et.cert.pem
Using configuration from openssl.my.cnf
Enter pass phrase for ./private/intermediate.key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jan 30 16:03:13 2017 GMT
Not After : Feb 9 16:03:13 2018 GMT
Subject:
countryName = ET
stateOrProvinceName = Ethiopia
organizationName = Ambo University
commonName = www.ambou.edu.et
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Subject Key Identifier:
00:E1:B7:C7:42:E0:E7:61:B0:3B:35:6E:35:BF:0C:94:05:F5:50:4E
X509v3 Authority Key Identifier:

keyid:56:86:AB:B0:A4:77:66:A1:96:AE:24:83:FF:46:97:4E:47:61:A2:8F
DirName:/C=ET/ST=Ethiopia/L=Ambo, Oromia/O=Ambo University/CN=AU
Certificate Authority
serial:01

X509v3 Key Usage: critical

Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
Certificate is to be certified until Feb 9 16:03:13 2018 GMT (375 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

10
Write out database with 1 new entries
Data Base Updated

Verify the certificate

elsi@kali:~/Desktop/CA/myCA/intermediate$ openssl x509 -noout -text \
> -in certs/www.ambou.edu.et.cert.pem

Here the Issuer is the intermediate CA. The Subject refers to the certificate itself.
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=ET, ST=Ethiopia, O=Ambo University, OU=Goverment University,
CN=AU intermediate authority
Validity
Not Before: Jan 30 16:03:13 2017 GMT
Not After : Feb 9 16:03:13 2018 GMT
Subject: C=ET, ST=Ethiopia, O=Ambo University, CN=www.ambou.edu.et
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)

Use the CA certificate chain file we created earlier (ca-chain.cert.pem) to verify that the new
certificate has a valid chain of trust.

elsi@kali:~/Desktop/CA/myCA/intermediate$ openssl verify -CAfile certs/ca-

chain.cert.pem \
> certs/www.ambou.edu.et.cert.pem
certs/www.ambou.edu.et.cert.pem: OK

Deploy the certificate

You can now either deploy your new certificate to a server, or distribute the certificate to a client.
When deploying to a server application (eg, Apache webserver), you need to make the following
files available:
ca-chain.cert.pem
www.ambou.edu.et.key.pem
www.ambou.edu.et.cert.pem

If youre signing a CSR from a third-party, you dont have access

to their private key so you only need to give them back the chain
file (ca-chain.cert.pem) and the certificate
(www.ambou.edu.et.cert.pem).

11