Building Basic Public Key Infrastructure

T h i s W o r k i s d o n e b y I S M A I L R A C H D A O U I

Generating Digital certificate for a user using OpenSSL:

The first step in every certificate system is to create the Root Certificate, i twill be

a self-signed one, then we will use this certificate (Root) to sign other generates

certificates.

1- Generate Root certificate:

As mentioned in the introduction, the Root certificate will be self-signed; here is

the command line under openSSl to generate it:

openssl req -x509 -newkey rsa:2048 -keyout ca.key -out ca.crt -days 356

In this example, the root certif will user RSA as public key infrastructure algorithm

with 2048 bits ok key length, this command will generate 2 files:

ca.key: the private key of the root certificate

ca.crt: the public key of the root certificate

The -x509 option is used for a self-signed certificate and the parameter –days

mean than i twill be valid of 356 days.

Here are the screenshots:

Once we valid the given command, openSSL will ask us to put a PassPhrase of the

certificate … Then we continue.

The next step is to enter the Distinguished Name (DN) for the certificate, the

given informations will help the system to build the certificate, you can leave

some fields empty but not Common Name (CN), the CN may be for example your

hostname, in this case Ubuntu.

That's All! Our Root certificate is created; we can display ca.key and ca.pem using

Linux cat command

2- Generate a user certificate:

The creation of user certificate is done in two steps.

Step 1: create the private key of user cert:

The command is

openssl genrsa -out user.key 4096

4096 is for key length.

Step 2: Creating a certificate request

To create a certificate, you need to start with a certificate request. A certificate request can be signed using the self-signed certificate crated before.

To generate a request certificate we use the following command: openssl req -new -key user.key -out user.csr

Then the openssl will ask to fill some information about the user as bellow:

This command result user.csr file (csr for Certificate Singing Request),

Step 3 : Sign the CSR file with Root Certificate The final step is the get user.csr signed using Root certificate, so it will be valid in the certificate chain. The command line is

openssl x509 -req -days 730 -in user.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out user.crt

In this command we have to provide CSR certificate path, Root certificate path and path of Root certificate private key, the generated certificate is user.crt valid for 730 days.

That's All! The screenshot prove the the CSR is successfully signed and user certificate user.crt is created.

To use user.key for Authenticode signatures with Microsoft’s signtool, you’ll have to package the keys and certs in a PKCS12 file using the command line:

More about PKC12 format: http://en.wikipedia.org/wiki/PKCS_12

openssl pkcs12 -export -out user.p12 -inkey user.key -in user.crt -chain -CAfile ca.crt

The program ask for an exporting password, just give a one an remember it to use

it under any Windows machine.