What are those?
Private keys, certificate, certificate agents and root certificate enable security between client server communication. At a typical handshake phase of ssl / tls session, the server provides certificate and corresponding certificate agent list to the client. Certificate of server includes it’s public key and domain with other useful information. With certificate and it’s certificate agent list, it is checked that the server is in fact the identity which he claims to be (authenticity). This process is done with starting checking server certificate with the very immediate low level certificate agent that handled the sign request of server. Then following the certificate agent list, each lower level certificate agent is checked with certificate of higher level, which should at the very end depend to a root certificate that reside in system. After controlling authenticity, client will generate a random symmetric key and encrypt it with servers public key. Server will be able to decrypt it with it’s private key and get the symmetric key that will be used from then on.
Therefore a certificate chain should finalize with a well known root. In order to depend on a well known root, you need to go to one of certificate agents that are already at the very end signed by the root, and make them sign your certificate, which will cost money and time. Other alternative for internal use or testing, generate your own chain and insert this specific root to the trusted root store of the system. Notice that changing trusted root store of a system is generally a bad idea with possible security consequences. Having said this, if you need these for testing purposes, here is how you can generate a root certificate, varying number of certificate agents, and an endpoint key certificate pair.
Create a root
It will be wise to protect already existing configuration and keys in our environment, therefore create a temporary working directory workbench/certificates in my case. We will need a configuration template. openssl.cnf will do the job, find and copy it with name root.cnf.
This will be used as configuration of root certificate agent.
In order to be tidy, give a corresponding directory name for root certificate agent, root, in this case.
And make signing available by setting basisConstraints=CA:TRUE which defaults to false
Then we may generate the private key of root as;
Before self signing the request, we should prepare environment for outputs and configurations. We should have a ./root and .root/newcerts directory. this will keep the certificates that are signed by root certificate agent.
Then we should have a datebase file called index.txt
And a counter that is incremented each time a new certificate is issued.
Then we are ready to self sign the certificate request
Certificate may be checked by
And output will be as;
Create certificate agent A certificates : CaA
Now we will create security keys of certificate agent A, CaA. Start with creating configuration file CaA.cnf,
and necessary environment.
Create private key and sign request.
Generate certificate of CaA with information of root
veryfying certificate of CaA
Notice that database of root contains two entries, one for self signing, and one for signing CaA,
We should have following directory snapshot,
Create certificate agent B certificates : CaB
Same steps may be repeated to form certificate agent B, CaB.
sifa@debian:~/workbench/certificates$ cp root.cnf CaB.cnf sifa@debian:~/workbench/certificates$ mkdir CaB sifa@debian:~/workbench/certificates$ mkdir CaB/newcerts sifa@debian:~/workbench/certificates$ touch CaB/index.txt sifa@debian:~/workbench/certificates$ echo 01 >> CaB/serial sifa@debian:~/workbench/certificates$ sifa@debian:~/workbench/certificates$ openssl req -new -newkey rsa:1024 -nodes -out CaB.csr -keyout CaB_private.pem -config CaB.cnf sifa@debian:~/workbench/certificates$ sifa@debian:~/workbench/certificates$ openssl ca -keyfile CaA_private.pem -cert CaA_certificate.pem -out CaB_certificate.pem -in CaB.csr -config CaA.cnf
We may verify that jack.dalton signed certificate of william.dalton;
Here, we will make a different modification in CaB.cnf (uncomenting copy_extensions=copy), which will make keep alternative names of endpoint,
Create endpoint certificates
Endpoint certificate creation will be very similar, except the certificate belong to avarel. As he is not careful, he will add many alternate names with wildcards by modifying endpoint.cnf as;
The remaining steps are same, except omitting generation of certificate folder, sequence and index database, since endpoint will not generate any certificates.
sifa@debian:~/workbench/certificates$ cp root.cnf endpoint.cnf sifa@debian:~/workbench/certificates$ openssl req -new -newkey rsa:1024 -nodes -out endpoint.csr -keyout endpoint_private.pem -config endpoint.cnf sifa@debian:~/workbench/certificates$ openssl ca -keyfile CaB_private.pem -cert CaB_certificate.pem -out endpoint_certificate.pem -in endpoint.csr -config CaB.cnf sifa@debian:~/workbench/certificates$ openssl x509 -in endpoint_certificate.pem -text -noout
After operation we should have whole chain of certificates from endpoint to root, to use in our tests.