OpenSSL CA: make a certificate signing request work on Arch Linux

#edit /etc/ssl/openssl.cnf

Find [ ca ] and make sure this matches:

#################################################################### 
[ ca ] 
default_ca      = CA_default #default ca section 

#################################################################### 

[ CA_default ] 

dir             = /etc/ssl              # Where everything is kept 
certs           = $dir/certs            # Where the issued certs are kept 
crl_dir         = $dir/crl              # Where the issued crl are kept 
database        = $dir/index.txt        # database index file. 
#unique_subject = no                    # Set to 'no' to allow creation of 
                                       # several certs with same subject. 
new_certs_dir   = $dir/newcerts         # default place for new certs. 

certificate     = $dir/cacert.pem       # The CA certificate 
serial          = $dir/serial           # The current serial number 
crlnumber       = $dir/crlnumber        # the current crl number 
                                       # must be commented out to leave a V1 CRL 
crl             = $dir/crl.pem          # The current CRL 
private_key     = $dir/private/cakey.pem# The private key 
email_in_dn    = no 
serial         = $dir/serial           # serial no file 
rand_serial    = yes                  # for random serial#'s

I generated a CA with

openssl genrsa -aes256 -out root_ca_key 16384 
openssl req -x509 -new -nodes -key root_ca_key -sha3-512 -days 3650 -out root_ca.crt

Then did a cert signing request with (needs write permissions to various /etc/ssl/ directories)

openssl ca -extensions v3_ca -days 3650 -notext -md sha3-512 -cert root_ca.crt -keyfile root_ca_key -in intermediate_ca.csr -out intermediate_ca.cer -outdir /home/grassyloki/openssl/

Note: Country Name, State or Province Name, Locality Name, and Organization Name all need to match. Make sure to change the home folder to match your username.

 

About: Ryan Parker

I'm a former captain of the Cyber Defense team, Current Infrastructure Security Specialist. I also have a side job helping small to medium business with anything technology doing everything imaginable. One of my hobbies is building out infrastructures for myself, friends, and clients. I current maintain a homelab with about 2TB of RAM, 180+ TB of storage, tons of CPU cores, and 100gbit networking backbone.


Leave a Reply

Your email address will not be published. Required fields are marked *