Difference between revisions of "CA"

From Whitespace (Hackerspace Gent)
Jump to: navigation, search
(Created page with "== 0x20 CA == * Used for OpenVPN .")
 
(0x20 CA)
Line 1: Line 1:
== 0x20 CA ==
+
= 0x20 CA =
* Used for [[OpenVPN]] .
+
* CA with OpenSSL
 +
** all flat files in 1 directory
 +
** can easily be transported on an encrypted filesystem
 +
* Used for [[OpenVPN]] authentication
 +
 
 +
== openssl.cnf ==
 +
Check the openssl.cnf file with the 0x20 specific values:
 +
* root ca is valid for 15 years
 +
* certificates are valid for 5 years
 +
* DN: C=BE, ST=Ghent, L=Whitespace, O=0x20, CN=0x20 root ca
 +
* nsCaRevocationUrl = http://www.0x20.be/ca-0x20-crl.pem
 +
* extendedKeyUsage=serverAuth (server certs)
 +
* extendedKeyUsage=clientAuth (client certs)
 +
 
 +
== Create a CA ==
 +
* based on http://www.freebsdmadeeasy.com/tutorials/freebsd/create-a-ca-with-openssl.php
 +
$ openssl req -new -x509 -days 5475 -newkey rsa:4096 -extensions v3_ca -keyout private/ca-0x20-key.pem -out ca-0x20-cert.pem -config ./openssl.cnf

Revision as of 02:57, 6 November 2011

0x20 CA

  • CA with OpenSSL
    • all flat files in 1 directory
    • can easily be transported on an encrypted filesystem
  • Used for OpenVPN authentication

openssl.cnf

Check the openssl.cnf file with the 0x20 specific values:

  • root ca is valid for 15 years
  • certificates are valid for 5 years
  • DN: C=BE, ST=Ghent, L=Whitespace, O=0x20, CN=0x20 root ca
  • nsCaRevocationUrl = http://www.0x20.be/ca-0x20-crl.pem
  • extendedKeyUsage=serverAuth (server certs)
  • extendedKeyUsage=clientAuth (client certs)

Create a CA

$ openssl req -new -x509 -days 5475 -newkey rsa:4096 -extensions v3_ca -keyout private/ca-0x20-key.pem -out ca-0x20-cert.pem -config ./openssl.cnf