Managing a CA

Now that you have a CA, this page will cover how to do things with it.

Initial Preperation

You'll want to adjust the policy line (under your default ca section) in your openssl.conf. If it's set to policy_match then that means all certificates must match country, state, and organizationName of our CA, and must supply a locality and commonName. If you set it to policy_anything then the only thing required is a commonName.

Of course, in reality, you probably want to define your own policy, one which requires various things to be present, but doesn't require they match your CA. Any, set the policy line to the appropriate policy.

Additionally, you'll want to make sure that x509_extensions (under your default ca section) is set to whatever section of extensions you want to give people when you sign extensions. See the extensions page for details on what these are and which ones you might want.

Lastly, you'll probably want to setup the following aliases for ease-of-use:

alias cert='openssl x509 -noout -text -in'
alias req='openssl req -noout -text -in'
alias crl='openssl crl -noout -text -in'

As you'll see below, there is plenty of room for other aliases, but these will allow you to look at a certificate by typing cert foo.crt, a request by typing req foo.csr, and a CRL by typing crl foo.crl.

Signing Certificates

To sign a certificate request, dump it in your certreqs directory, and then type:

openssl ca -config openssl.cnf -infiles certreqs/foo.csr

This will dump out information about the foo.csr request as well as the certificate that will result if you sign. You should verify this information carefully. If you decide you want to sign, you will need to confirm by typing "y", as well as provide the passphrase for the CA's private key.

At this point you'll have the signed certificate under the certsdb directory named by the serial number it was given, and with a .pem extension. You may deliver this to the original requestor. You may use plain-text means as this public cert does not need to be kept secure.

If you are signing a certificate that needs a different set of extensions, for example, a subordinate CA, you can do:

openssl ca -config openssl.cnf -extensions v3_ca -infiles certreqs/foo.csr

And by the same token, you may choose a different policy with:

openssl ca -config openssl.cnf -policy policy_match -infiles certreqs/foo.csr

And obviously, you may use both.

Revoking a Certificate

If a key gets compromised, is superseded, or otherwise no longer needed, the CA should revoke it. This is done via:

openssl ca -config openssl.cnf -revoke certsdb/5FE840894254A22.pem

This will ask you for the passphrase of the CA's private key and then revoke the certificate. You can also specify a -crl_reason option where the reason is one of the following:

Technically another reason, "removeFromCRL" is valid, but unsupported in openssl. An example of using one of these would be:

openssl ca -config openssl.cnf -crl_reason superseded -revoke certsdb/5FE840894254A22.pem

The options -crl_compromise and -crl_CA_compromise allow you to specify times of compromise and set the crl_reason to the respective setting.

Once you've revoked a certificate be sure to update the CRL. Instructions on how to do that are below.

Creating CRLs

CRLs should be created regularly and made available to the users of your CA - and their users! CRLs can be created without having ever revoked a certificate. However, if you revoke a certificate, a new CRL should be generated immediately.

To generate a CRL, simply do:

openssl ca -config openssl.cnf -gencrl -out crl.pem

Then provide this CRL in the URL provided in your crlDistributionPoint extension.