TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 5121ce5bdbc92e134a42220a1aa23f95037c7625^! / . / programs / ssl / CA-HOWTO.txt
commit5121ce5bdbc92e134a42220a1aa23f95037c7625[log] [tgz]
authorPaul Bakker <p.j.bakker@polarssl.org>Sat Jan 03 21:22:43 2009 +0000
committerPaul Bakker <p.j.bakker@polarssl.org>Sat Jan 03 21:22:43 2009 +0000
tree002d3c64cf627bb22e4d09c239ed1bcc3dcd2b4c
 - Renamed include directory to polarssl


diff --git a/programs/ssl/CA-HOWTO.txt b/programs/ssl/CA-HOWTO.txt
new file mode 100644
index 0000000..6f05211
--- /dev/null
+++ b/programs/ssl/CA-HOWTO.txt

@@ -0,0 +1,144 @@
+

+

+

+                How to setup your own Certificate Authority

+                ===========================================

+

+

+Note: this howto requires the openssl binary, as well as classic

+UNIX tools (cat, touch, echo). If you use Windows, please consider

+installing Cygwin -- see http://cygwin.com/

+

+

+    1. Configure OpenSSL

+    --------------------

+

+First of all, create sslconf.txt in the current directory

+(a basic example is provided at the end of this file).

+

+cat > sslconf.txt <<"EOF"

+[paste contents here]

+EOF

+

+Then you need to create the database and a starting serial number:

+

+touch index

+echo "01" > serial

+mkdir newcerts

+

+

+    2. Generate the CA certificate

+    ------------------------------

+

+openssl req -config sslconf.txt -days 3653 -x509 -newkey rsa:2048 \

+            -set_serial 0 -text -keyout test-ca.key -out test-ca.crt

+

+

+    3. Generate the private keys and certificate requests

+    -----------------------------------------------------

+

+openssl genrsa -out server1.key 2048

+openssl genrsa -out server2.key 2048

+openssl genrsa -out client1.key 2048

+openssl genrsa -out client2.key 2048

+

+openssl req -config sslconf.txt -new -key server1.key -out server1.req

+openssl req -config sslconf.txt -new -key server2.key -out server2.req

+openssl req -config sslconf.txt -new -key client1.key -out client1.req

+openssl req -config sslconf.txt -new -key client2.key -out client2.req

+

+

+    4. Issue and sign the certificates

+    ----------------------------------

+

+openssl ca -config sslconf.txt -in server1.req -out server1.crt

+openssl ca -config sslconf.txt -in server2.req -out server2.crt

+openssl ca -config sslconf.txt -in client1.req -out client1.crt

+openssl ca -config sslconf.txt -in client2.req -out client2.crt

+

+

+    5. To revoke a certificate and update the CRL

+    ---------------------------------------------

+

+openssl ca -config sslconf.txt -revoke server1.crt

+openssl ca -config sslconf.txt -revoke client1.crt

+openssl ca -config sslconf.txt -gencrl -out crl.pem

+

+

+    6. To display a certificate and verify its validity

+    ---------------------------------------------------

+

+openssl x509 -in server2.crt -text -noout

+cat test-ca.crt crl.pem > ca_crl.pem

+openssl verify -CAfile ca_crl.pem -crl_check server2.crt

+rm ca_crl.pem

+

+

+    7. To export a certificate into a .pfx file

+    -------------------------------------------

+

+openssl pkcs12 -export -in client2.crt -inkey client2.key \

+                      -out client2.pfx

+

+

+##================================================================

+##============== Example OpenSSL configuration file ==============

+##================================================================

+

+#  References:

+#

+#  /etc/ssl/openssl.conf

+#  http://www.openssl.org/docs/apps/config.html

+#  http://www.openssl.org/docs/apps/x509v3_config.html

+

+[ ca ]

+default_ca              = my_ca

+

+[ my_ca ]

+certificate             = test-ca.crt

+private_key             = test-ca.key

+database                = index

+serial                  = serial

+

+new_certs_dir           = newcerts

+default_crl_days        = 60

+default_days            = 730

+default_md              = sha1

+policy                  = my_policy

+x509_extensions         = v3_usr

+

+[ my_policy ]

+countryName             = optional

+stateOrProvinceName     = optional

+organizationName        = match

+organizationalUnitName  = optional

+commonName              = supplied

+emailAddress            = optional

+

+[ req ]

+distinguished_name      = my_req_dn

+x509_extensions         = v3_ca

+

+[ my_req_dn ]

+countryName             = Country Name..............

+countryName_min         = 2

+countryName_max         = 2

+stateOrProvinceName     = State or Province Name....

+localityName            = Locality Name.............

+0.organizationName      = Organization Name.........

+organizationalUnitName  = Org. Unit Name............

+commonName              = Common Name (required)....

+commonName_max          = 64

+emailAddress            = Email Address.............

+emailAddress_max        = 64

+

+[ v3_ca ]

+basicConstraints        = CA:TRUE

+subjectKeyIdentifier    = hash

+authorityKeyIdentifier  = keyid:always,issuer:always

+

+[ v3_usr ]

+basicConstraints        = CA:FALSE

+subjectKeyIdentifier    = hash

+authorityKeyIdentifier  = keyid,issuer

+