Initialisation of the Certification Authority

We describe here the initialisation phase of the CA. This takes place only once and special care is needed for the protection of the CA's private key.

Note: The following examples require the OpenSSL software installed on your workstation. Also, it is recommended to have the openssl application in your PATH environment variable. Possible locations for the openssl application are /usr/local/ssl/bin/ or /usr/bin/.

Generate the RSA key–pair for the CA

Use this command to generate the RSA key–pair

CA_Admin% openssl genrsa –des3 –out ca.key 2048

where genrsa is the openssl component to generate an RSA key–pair, -des3 is the pass–phrase algorithm to encrypt the key–pair, -out ca.key shows the filename to use to store the key–pair and 2048 means that we use 2048–bit RSA.

Executing the above command, the user is presented with the following information

1112 semi-random bytes loaded
Generating RSA private key, 2048 bit long modulus
.+++++
.......................................................\
.....................+++++
e is 65537 (0x10001)
Enter PEM pass phrase: enter pass–phrase here
Verifying password - Enter PEM pass phrase: re–enter pass–phrase here

This creates an RSA key pair which is stored in the file ca.key. The key pair is encrypted with 3DES using a password supplied by the user during key generation. The N in RSA (the product of the two prime numbers) is 2048 bits long. For brevity, we say that we use 2048-bit RSA.

A sample key–pair, encrypted with a pass–phrase, can be found at the section called Sample Encrypted Private Key in PEM format (2048 bits) in Appendix B. The same key–pair without the pass–phrase encryption is at the section called Sample Private Key in PEM format (2048 bits) in Appendix B. The decoded version of the same key can be found at the section called Sample Private Key in TXT format (2048 bits) in Appendix B.

Create a self–signed CA Certificate

The self–signed CA Certificate is signed with the RSA key of the CA. The certificate will have the X.509 structure.

CA_Admin% openssl req –new –x509 –days 365 \ –key ca.key –out ca.crt

where req is the openssl component to generate a Certificate Signing Request, -new means we want to make a new request, -x509 means that we want to produce a x509 structure instead of a certificate request, -days 365 show for how many days the certificate will be valid for, -key ca.key is the key–pair to be used and finally -out ca.crt is the filename where the certificate will be written to.

By executing the above command, we are presented with the following messages

Using configuration from /usr/local/ssl/openssl.cnf
Enter PEM pass phrase:  type the pass–phrase here
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:Surrey
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Best CA Ltd
Organizational Unit Name (eg, section) []:Class 1 Public \ Primary Certification Authority
Common Name (eg, YOUR name) []:Best CA Ltd
Email Address []:.
CA_Admin%

This creates a self–signed certificate, called ca.crt. It is valid for one year from the date of generation. In this step, the CA Administrator has to enter the X.509 details of the CA Root Certificate.

A sample CA Certificate, in PEM format, can be found at the section called Sample CA Certificate in PEM format in Appendix B. The TXT or human–readable of the same Certificate can be found at the section called Sample CA Certificate in TXT format in Appendix B.