154 lines
4.4 KiB
Markdown
154 lines
4.4 KiB
Markdown
|
# Set up CA
|
|||
|
|
|||
|
## Sources:
|
|||
|
|
|||
|
- https://www.jimby.name/techbits/recent/openssl_tsa/
|
|||
|
|
|||
|
## Create directory
|
|||
|
|
|||
|
```bash
|
|||
|
# mkdir certs db private ## should already be created
|
|||
|
# chmod 700 private ## should already be set
|
|||
|
touch db/index
|
|||
|
openssl rand -hex 16 > db/serial
|
|||
|
echo ‘1001’ > db/crlnumber
|
|||
|
echo 01 > tsa_serial
|
|||
|
```
|
|||
|
|
|||
|
## Create files for certificate authority
|
|||
|
|
|||
|
Create a new private key and root CA certificate request in one step:
|
|||
|
|
|||
|
```bash
|
|||
|
openssl req -new -newkey rsa:2048 -config ./rootca.conf -out ca/root-ca.csr -keyout ca/private/root-ca.key
|
|||
|
```
|
|||
|
|
|||
|
Don’t forget the password – you’ll need it again and again below.
|
|||
|
|
|||
|
Now self-sign the certificate request.
|
|||
|
|
|||
|
```bash
|
|||
|
openssl ca -selfsign -config ./rootca.conf -in ca/root-ca.csr -out ca/root-ca.crt -extensions ca_ext
|
|||
|
```
|
|||
|
|
|||
|
Check the certificate:
|
|||
|
|
|||
|
```bash
|
|||
|
openssl x509 -text -in ca/root-ca.crt -noout
|
|||
|
```
|
|||
|
|
|||
|
## Create certificate for timestamp
|
|||
|
|
|||
|
To proceed, we first make a key and a certificate request for a non-CA certificate. We use the -subj option so we don’t
|
|||
|
have to use a configuration file for this step. The Country (C=US) and Organization (O=Example Inc.) elements must
|
|||
|
match the root certificate.
|
|||
|
|
|||
|
```bash
|
|||
|
openssl req -new \
|
|||
|
-newkey rsa:2048 \
|
|||
|
-subj "/C=US/O=Example Inc./OU=Engineering/CN=Example Inc. TSA Responder" \
|
|||
|
-keyout ca/private/tsa.key \
|
|||
|
-out ca/tsa.csr
|
|||
|
```
|
|||
|
|
|||
|
|
|||
|
You should use a different password for the tsa.key private key.
|
|||
|
|
|||
|
Then we generate a non-CA certificate using the -extension tsa_ext command line option which points to the required
|
|||
|
extendedKeyUsage in the configuration file.
|
|||
|
|
|||
|
```bash
|
|||
|
openssl ca -config ./rootca.conf -in ca/tsa.csr -out ca/tsa.crt -extensions tsa_ext -days 365
|
|||
|
```
|
|||
|
|
|||
|
Sign with the root-ca.key private key password, and commit to the database.
|
|||
|
|
|||
|
Examine the new TSA certificate as follows:
|
|||
|
|
|||
|
```bash
|
|||
|
openssl x509 -in ca/tsa.crt -text -noout
|
|||
|
```
|
|||
|
|
|||
|
Ensure that it has CA: false , keyUsage nonRepudiation, and extendedKeyUsage timeStamping.
|
|||
|
|
|||
|
Requests to the time stamp service usually require that the reply include the certificate chain of the service. We now create the certificate chain as follows:
|
|||
|
|
|||
|
First, extract just the PEM form of the x509 certificates for root-ca.crt and tsa.crt :
|
|||
|
|
|||
|
```bash
|
|||
|
openssl x509 -in ca/root-ca.crt -outform PEM -out ca/root-ca.pem
|
|||
|
openssl x509 -in ca/tsa.crt -outform PEM -out ca/tsa.pem
|
|||
|
```
|
|||
|
|
|||
|
Next, concatenate the two bare certificates ensuring that the root certificate is last in the file:
|
|||
|
|
|||
|
```bash
|
|||
|
cat ca/tsa.pem ca/root-ca.pem > ca/tsa-chain.pem
|
|||
|
```
|
|||
|
|
|||
|
You can verify this chain by just viewing the file:
|
|||
|
|
|||
|
```bash
|
|||
|
cat ca/tsa-chain.pem
|
|||
|
```
|
|||
|
|
|||
|
## Generate a timestamp request
|
|||
|
|
|||
|
Ok! We are now ready to create a time stamp request. First, we prepare a query:
|
|||
|
|
|||
|
```bash
|
|||
|
openssl ts -query -config ./rootca.conf -cert -data /etc/hosts -out /tmp/request.tsq
|
|||
|
```
|
|||
|
|
|||
|
View the request with
|
|||
|
|
|||
|
```bash
|
|||
|
openssl ts -query -in /tmp/request.tsq -text
|
|||
|
```
|
|||
|
|
|||
|
Note that since we did not request certificate checking (using the -cert option in the request command above), the text
|
|||
|
output of this command shows “Certificate required: no”. Also, note that we did not specify our own configuration
|
|||
|
file in the above example.
|
|||
|
|
|||
|
If you want to use a stronger digest algorithm, specify it on the command line (sha512 requested here):
|
|||
|
|
|||
|
```bash
|
|||
|
openssl ts -query -config ./rootca.conf -data /etc/hosts -out /tmp/request.tsr -sha512
|
|||
|
```
|
|||
|
|
|||
|
## Generating a reply
|
|||
|
|
|||
|
We can now process a reply to the the request. Note that the openssl ts -reply sub-command does require a configuration
|
|||
|
file, including the all the tsa sections. In particular, it uses the tsa_policy1(2,3) options we added at the top of the file.
|
|||
|
|
|||
|
Here (and everywhere you utilize the services of the tsa.crt certificate), you must enter the password for the tsa
|
|||
|
certificate private key.
|
|||
|
|
|||
|
```bash
|
|||
|
openssl ts -reply -config ./rootca.conf -queryfile /tmp/request.tsq -chain ca/tsa-chain.pem -out /tmp/response.tsr
|
|||
|
```
|
|||
|
|
|||
|
```bash
|
|||
|
openssl ts -reply -config ./rootca.conf -in /tmp/response.tsr -text
|
|||
|
```
|
|||
|
|
|||
|
|
|||
|
## Verification
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Openssl can also verify the received timestamp ensuring that the data file or data digest the query was based on still
|
|||
|
applies to the current version of the file.
|
|||
|
|
|||
|
```bash
|
|||
|
openssl ts -verify -queryfile /tmp/request.tsq -in /tmp/response.tsr -CAfile ca/root-ca.pem -untrusted ca/tsa.pem
|
|||
|
```
|
|||
|
|
|||
|
The OK response ensures that the original signed timestamp is correctly authorized by the root and tsa certificates
|
|||
|
(in PEM format).
|
|||
|
|
|||
|
```bash
|
|||
|
openssl ts -verify -data /etc/hosts -in /tmp/response.tsr -CAfile ca/root-ca.pem -untrusted ca/tsa.pem
|
|||
|
```
|
|||
|
|