OpenSSL as a CA without touching the certs/crl/index/etc environment

Question

I think I have the right OpenSSL command to sign a certificate but I\'ve gotten stuck and the tutorials I\'ve found use a different argument format (I\'m using OpenSSL 0.9.8o 01

Answer 1

I don't know of any "don't bother" options, but here is how you can setup a quick demo CA:

#!/bin/bash
CAROOT=/path/to/ca
mkdir -p ${CAROOT}/ca.db.certs   # Signed certificates storage
touch ${CAROOT}/ca.db.index      # Index of signed certificates
echo 01 > ${CAROOT}/ca.db.serial # Next (sequential) serial number

# Configuration
cat>${CAROOT}/ca.conf<<'EOF'
[ ca ]
default_ca = ca_default

[ ca_default ]
dir = REPLACE_LATER
certs = $dir
new_certs_dir = $dir/ca.db.certs
database = $dir/ca.db.index
serial = $dir/ca.db.serial
RANDFILE = $dir/ca.db.rand
certificate = $dir/ca.crt
private_key = $dir/ca.key
default_days = 365
default_crl_days = 30
default_md = md5
preserve = no
policy = generic_policy
[ generic_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
EOF

sed -i "s|REPLACE_LATER|${CAROOT}|" ${CAROOT}/ca.conf

cd ${CAROOT}

# Generate CA private key
openssl genrsa -out ca.key 1024

# Create Certificate Signing Request
openssl req -new -key ca.key  \
                 -out ca.csr       

# Create self-signed certificate
openssl x509 -req -days 10000 \
              -in ca.csr      \
              -out ca.crt     \
              -signkey ca.key

Now you can generate and sign keys:

# Create private/public key pair
openssl genrsa -out server.key 1024

# Create Certificate Signing Request
openssl req -new -key server.key \
                 -out server.csr

# Sign key
openssl ca -config ${CAROOT}/ca.conf   \
           -in server.csr              \
           -cert ${CAROOT}/ca.crt      \
           -keyfile ${CAROOT}/ca.key   \
           -out server.crt

Answer 2

Based on snow6oy's answer, here's what I did:

openssl x509 -req -CA CACert.pem -CAkey CAKey.pem -CAcreateserial -in YourCSR.csr -out YourCert.pem

A couple optional flags that may be useful:

• -days 1095
  (The default is 30 days)

• -sha256
  (RHEL 7 defaults to SHA-1)

Answer 3

Rather than using the ca option try the x509 option with -req. You would add -CAfile to point to your authority. This will sign your certificate without adding entries to the index. There is more about using x509 as "mini CA" here.

http://www.openssl.org/docs/apps/x509.html#SIGNING_OPTIONS