Initialisation of the Certification Authority

Here we describe the initialisation phase of the CA. This takes place once. Special care is needed for the protection of the CA's private key.

Note

The following examples require the OpenSSL software installed on your workstation. Also, it is recommended to have the directory that the openssl application resides, in your PATH environment variable. Possible locations for the openssl application are /usr/local/ssl/bin/ or /usr/bin/.

Generate the RSA key–pair for the CA

Use this command to generate the RSA key–pair:

CA_Admin% openssl genrsa –des3 –out ca.key 2048

Parameters

genrsa

the openssl component to generate an RSA key–pair,

-des3

the symmetric algorithm to encrypt the key–pair,

-out ca.key

the filename to store the key–pair,

2048

size of RSA modulus in bits.

Executing the above command, the user is presented with the following information
1112 semi-random bytes loaded
Generating RSA private key, 2048 bit long modulus
.+++++
......................................................+++++
e is 65537 (0x10001)
Enter PEM pass phrase: enter the pass–phrase here
Verifying password - Enter PEM pass phrase: re–enter 
the pass–phrase here

This creates an RSA key pair which is stored in the file ca.key. This key pair is encrypted with 3DES using a password supplied by the user during key generation. The N in RSA (the product of the two prime numbers) is 2048 bits long. For brevity, we say that we use 2048-bit RSA.

A sample key–pair, encrypted with a pass–phrase, can be found at the section called Sample Encrypted Private Key in PEM format (2048 bits) in Appendix B. This same key–pair without the pass–phrase encryption is at the section called Sample Private Key in PEM format (2048 bits) in Appendix B. The decoded version of the same key can be found at the section called Sample Private Key in TXT format (2048 bits) in Appendix B.

Create a self–signed CA Certificate

In order to get a self–signed CA Certificate, we need to sign the CA's certificate request with the corresponding private key. The resulting Certificate has the X.509 structure.

CA_Admin% openssl req –new –x509 –days 365 –key ca.key –out ca.crt

Parameters

req

the openssl component to generate a certificate request,

-new

this is a new certificate,

-x509

generate an X.509 certificate,

-days 365

the time in days that the certificate will be valid, counting from now,

-key ca.key

the key–pair file to be used,

-out ca.crt

the filename that the new certificate will be written onto

Executing the above command presents this dialogue:

Using configuration from /usr/local/ssl/openssl.cnf
Enter PEM pass phrase:  enter the pass–phrase here
You are about to be asked to enter information that will be 
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished 
Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:Surrey
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Best CA Ltd
Organizational Unit Name (eg, section) []:Class 1 Public Primary Certification Authority
Common Name (eg, YOUR name) []:Best CA Ltd
Email Address []:.
CA_Admin% 

This creates a self–signed certificate, called ca.crt. It is valid for 365 days from the date of generation. In this step, the CA Administrator has to enter the X.509 details of the CA Root Certificate.

A sample CA Certificate, in PEM format, can be found at the section called Sample CA Certificate in PEM format in Appendix B. The TXT or human–readable of the same Certificate can be found at the section called Sample CA Certificate in TXT format in Appendix B.