OpenSSL Environment for Certificate Management

After building and installing OpenSSL, but before using it to manage certificates, it is necessary to:
  1. Create the directory structure needed to manage certificates
  2. Modify the OpenSSL configuration file appropriately

Creating the Directory Structure for Managing Certificates

Once OpenSSL has been installed in the $SSLDIR directory (e.g. /opt/openssl), it is necessary to create directories for certificate management, and to initialize the certificate serial number counter, and the certificate "database" file (index.txt). The scripts and instructions in this cookbook assume that this environment has been established, as follows:
mkdir ${SSLDIR}/certs 
mkdir ${SSLDIR}/crl 
mkdir ${SSLDIR}/newcerts
mkdir ${SSLDIR}/private
echo "01" > ${SSLDIR}/serial
touch ${SSLDIR}/index.txt

Modifying the OpenSSL Configuration File

The OpenSSL configuration file (openssl.cnf) has multiple sections. Each section is used for a different purpose, and the sections include the following:
ca, CA_default
define certificate authority configuration
policy_match, policy_anything
define different request policies
req, req_distinguished_name, req_attributes
define request defaults
These configuration sections must be updated before the certificate authority may be used, especially the "dir" specification in the certificate authority configuration which defines where everything is kept (and should be $SSLDIR).

Certificate Authority Configuration Section

OpenSSL Configuration File: Certificate Authority Configuration Section
RANDFILE		= /opt/openssl/.rand

####################################################################
[ ca ]
default_ca	= CA_default		# The default ca section

####################################################################
[ CA_default ]

dir		= /opt/openssl		# Where everything is kept
certs		= $dir/certs		# Where the issued certs are kept
crl_dir		= $dir/crl			# Where the issued crl are kept
database		= $dir/index.txt		# database index file.
new_certs_dir	= $dir/newcerts		# default place for new certs.

certificate	= $dir/private/CAcert.pem 	# The CA certificate
serial		= $dir/serial 		# The current serial number
crl		= $dir/clr/crl.pem 		# The current CRL
private_key	= $dir/private/CAkey.pem	# The private key
RANDFILE		= $dir/private/.rand	# private random number file

x509_extensions		= x509v3_extensions	# The extentions to add to the cert
default_days		= 365		# how long to certify for
default_crl_days= 30			# how long before next CRL
default_md	= md5			# which md to use.
preserve	= no			# keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy		= policy_match

Certificate Request Policy Section

The policy section of the configuration file is used to define different certificate request signing policies. The examples here include the most lenient policy ("policy_anything") and a stricter policy ("policy_match") which restricts the values of certificate fields. The policy is used when considering signing a certificate request. "Match" means that the value of the field in the request must match the value in the CA certificate, or the request will not be signed. "Optional" means the the field need not be present, while "supplied" means that it must be present in the certificate request.
OpenSSL Configuration File: Certificate Policy Section
# For the CA policy
[ policy_match ]
countryName		= match
stateOrProvinceName	= match
localityName	= match
organizationName	= match
organizationalUnitName	= match
commonName		= supplied
emailAddress		= optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

Certificate Request Defaults Section

The "req" section of the configuration file is used when creating certificate requests, and supplies defaults and length limits for the various distinguished name fields. Some of these fields (e.g. commonName) will be different for each certificate request, while others will use the default (e.g. countryName). In our examples the "req" section has the following configuration:
OpenSSL Configuration File: Certificate Request Section
[ req ]
default_bits		= 512
default_keyfile 	= privkey.pem
distinguished_name	= req_distinguished_name
attributes		= req_attributes

[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= DE
countryName_min			= 2
countryName_max			= 2

stateOrProvinceName		= State or Province Name (full name)
stateOrProvinceName_default	= NRW

localityName			= Locality Name (eg, city)
localityName_default		= Dummsdorf

organizationName		= Organization Name (eg, company)
organizationName_default	= PSEUDONYM.ORG

organizationalUnitName		= Organizational Unit Name (eg, section)
organizationalUnitName_default	= Doku-Projekt

commonName			= Common Name (eg, YOUR name)
commonName_default		= www.pseudonym.org
commonName_max			= 64

emailAddress			= Email Address
emailAddress_max		= 40
emailAddress_default		= hirntod@www.pseudonym.org

[ req_attributes ]
challengePassword		= A challenge password
challengePassword_min		= 4
challengePassword_max		= 20

I found a better "openssl.conf" with differend sections. You can select the section with option "-name" or you change x509_extensions variable.


Cookbook