Setup more CAB forum compliant CA structure

This commit is contained in:
Jan Dittberner 2020-12-16 07:20:42 +01:00
parent e67dc820cf
commit e485abeced
2 changed files with 73 additions and 12 deletions

59
ca.cnf
View file

@ -1,7 +1,7 @@
extensions = v3_ext extensions = v3_ext
[ca] [ca]
default_ca = EXAMPLECA default_ca = sub_ca
[rootca] [rootca]
dir = ./example_ca/root dir = ./example_ca/root
@ -25,7 +25,7 @@ default_md = sha256
default_days = 1825 default_days = 1825
default_crl_days = 30 default_crl_days = 30
[EXAMPLECA] [sub_ca]
dir = ./example_ca/sub dir = ./example_ca/sub
certs = $dir/certs certs = $dir/certs
crl_dir = $dir/crl crl_dir = $dir/crl
@ -44,6 +44,25 @@ default_md = sha256
default_days = 365 default_days = 365
default_crl_days = 30 default_crl_days = 30
[email_ca]
dir = ./example_ca/email
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
serial = $dir/serial
new_certs_dir = $dir/newcerts
crl = $dir/crl.pem
certificate = $dir/ca.crt.pem
private_key = $dir/private/ca.key.pem
RANDFILE = $dir/private/.rand
unique_subject = no
email_in_dn = no
default_md = sha256
default_days = 365
default_crl_days = 30
[policy_any] [policy_any]
countryName = match countryName = match
stateOrProvinceName = optional stateOrProvinceName = optional
@ -55,12 +74,14 @@ emailAddress = optional
[policy_match] [policy_match]
commonName = supplied commonName = supplied
[client_ext] [email_ext]
basicConstraints = critical,CA:false basicConstraints = critical,CA:false
keyUsage = keyEncipherment,digitalSignature,nonRepudiation keyUsage = keyEncipherment,digitalSignature,nonRepudiation
extendedKeyUsage = clientAuth,emailProtection extendedKeyUsage = clientAuth,emailProtection
subjectKeyIdentifier = hash subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always authorityKeyIdentifier = keyid:always
authorityInfoAccess = 1.3.6.1.5.5.7.48.2;URI:http://example.org/ca/root/ca.crt,OCSP;URI:http://ocsp.example.org/
crlDistributionPoints = URI:http://crl.example.org/email.crl
[req] [req]
default_bits = 3072 default_bits = 3072
@ -86,10 +107,34 @@ commonName_max = 64
[req_attributes] [req_attributes]
[root_ca] [root_ca]
basicConstraints = critical,CA:true,pathlen:1 basicConstraints = critical,CA:true
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash subjectKeyIdentifier = hash
[sub_ca] [ext_sub_ca]
basicConstraints = critical,CA:true,pathlen:0 basicConstraints = critical,CA:true,pathlen:0
keyUsage = critical,keyCertSign,cRLSign
extendedKeyUsage = serverAuth,clientAuth
subjectKeyIdentifier = hash subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always authorityKeyIdentifier = keyid:always
authorityInfoAccess = 1.3.6.1.5.5.7.48.2;URI:http://example.org/ca/root/ca.crt,OCSP;URI:http://ocsp.example.org/
crlDistributionPoints = URI:http://crl.example.org/sub.crl
certificatePolicies = @policy_sub_ca
[ext_email_ca]
basicConstraints = critical,CA:true,pathlen:0
keyUsage = critical,keyCertSign,cRLSign
extendedKeyUsage = clientAuth,emailProtection
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
authorityInfoAccess = 1.3.6.1.5.5.7.48.2;URI:http://example.org/ca/root/ca.crt,OCSP;URI:http://ocsp.example.org/
crlDistributionPoints = URI:http://crl.example.org/email.crl
certificatePolicies = @policy_email_ca
[policy_sub_ca]
policyIdentifier = 1.3.6.1.5.5.7.2.1
CPS = http://example.org/ca/sub/cps.html
[policy_email_ca]
policyIdentifier = 1.3.6.1.5.5.7.2.1
CPS = http://example.org/ca/email/cps.html

View file

@ -6,10 +6,10 @@ COUNTRY_CODE=CH
ORGANIZATION="Acme Ltd." ORGANIZATION="Acme Ltd."
if [ ! -d "example_ca" ]; then if [ ! -d "example_ca" ]; then
mkdir -p example_ca/root/newcerts example_ca/sub/newcerts mkdir -p example_ca/root/newcerts example_ca/sub/newcerts example_ca/email/newcerts
touch example_ca/root/index.txt example_ca/sub/index.txt touch example_ca/root/index.txt example_ca/sub/index.txt example_ca/email/index.txt
umask 077 umask 077
mkdir example_ca/root/private example_ca/sub/private mkdir example_ca/root/private example_ca/sub/private example_ca/email/private
openssl req -new -x509 \ openssl req -new -x509 \
-config ca.cnf \ -config ca.cnf \
-keyout example_ca/root/private/ca.key.pem \ -keyout example_ca/root/private/ca.key.pem \
@ -32,8 +32,24 @@ if [ ! -d "example_ca" ]; then
-config ca.cnf \ -config ca.cnf \
-name rootca \ -name rootca \
-in example_ca/sub/ca.csr.pem \ -in example_ca/sub/ca.csr.pem \
-extensions sub_ca \ -extensions ext_sub_ca \
-out example_ca/sub/ca.crt.pem \ -out example_ca/sub/ca.crt.pem \
-create_serial \ -rand_serial \
-batch
openssl req -new \
-config ca.cnf \
-keyout example_ca/email/private/ca.key.pem \
-newkey rsa:3072 \
-nodes \
-subj "/CN=Example Email CA/C=${COUNTRY_CODE}/O=${ORGANIZATION}" \
-utf8 \
-out example_ca/email/ca.csr.pem
openssl ca \
-config ca.cnf \
-name rootca \
-in example_ca/email/ca.csr.pem \
-extensions ext_email_ca \
-out example_ca/email/ca.crt.pem \
-rand_serial \
-batch -batch
fi fi