1. Tutorial to create 3-level Hierarchical Trust Model
Configuration:
//copy the openssl directory in any location, here we will copy in Desktop
// Set the path for openssl
Linux:
export PATH = $PATH:Path_of_openssl
Windows:
go to myComputer->right click on the myComputer icon->go to Properties->go to
Advanced tab->go to environment variable->in the user variables window click on new-
> write PATH on the variable name and write the path of the openssl/bin in the
variable value.
Windows vista:
go to myComputer->right click on the myComputer icon->go to Properties->go to
Advanced system settings->continue->go to Advanced tab->go to environment
variable-> in the user variables window click on new-> write PATH on the variable
name and write the path of the openssl/bin in the variable value.
//make the folder/directory in the C drive named ssl with heirarchy /usr/local/ssl and
copy the openssl.cnf file from openssl folder to the ssl directory.
Creation of ROOT CA:
//Create a folder/directory for ROOT CA in any location by below command , any
name can be given but here we are giving name RootCA and we are creating in Desktop.
mkdir RootCA
//check whether directory got created or not with the below command
Linux:
ls-l
Windows
dir
//go inside the directory with the below given command
cd RootCA
2. //make directories inside the ROOT CA directory with the help of below given
command to keep the certificates what we will be generating
mkdir certs crl newcerts private
//check whether directories got created or not with the below command
Linux:
ls-l
Windows
dir
//make an empty text file named as index.txt
Linux:
vim index.txt
Windows:
edit index.txt
or
Right click in the RootCA folder somewhere and create the new file named as index.txt
//make an text file named serial and write serial no inside it with the following command
Linux:
echo 01 > serial
Windows:
echo 01 > serial
//copy openssl.cnf file from openssl folder to RootCA folder
//generate a private key
openssl genrsa -des3 -out private/RootCA.key 1024
//create a self-signed certificate using private key
openssl req -new -x509 -nodes -sha1 -days 1825 -key private/RootCA.key -out
RootCA.pem
3. //do the following changes in openssl.cnf file which is inside RootCA folder
In openssl.cnf file change following:
basic constraints: FALSE to
basic constraints: TRUE
[ CA_default ]
dir = ./
certificate = $dir/RootCA.pem # The CA certificate
private_key = $dir/private/RootCA.key # The private key
Creation of CA:
// be inside the ROOT CA Directory and create directory /folder for CA, any name can
be given but here we are giving the name CA
mkdir CA
//go inside the CA directory with the following command
cd CA
// copy the openssl.cnf file from openssl folder to CA folder
// make the directories inside the CA directory to keep the certificates for CA
mkdir certs crl newcerts private
//check whether directories got created or not with the below command
Linux:
ls-l
Windows
dir
//make an empty text file named as index.txt
4. Linux:
vim index.txt
Windows:
edit index.txt
or
Right click in the CA folder somewhere and create the new file named as index.txt
//make an text file named serial and write serial no inside it with the following command
Linux:
echo 01 > serial
Windows:
echo 01 > serial
//generate the CA key:
openssl genrsa -des3 -out private/CAKey.pem 1024
//generate a signing request (valid for 1year)
openssl req -new -sha1 -key private/CAKey.pem -out CA.csr
//copy the sign request CA.csr from CA directory to the ROOT CA directory .
//come out of CA directory with the help of following command
cd ..
//now you will be in the ROOT CA directory so sign the request using the following
command
openssl ca -extensions v3_ca -days 365 -out CA.crt -in CA.csr -config openssl.cnf
//Copy CA.crt from Root CA to CA folder
5. //go inside the CA folder with the following command
cd CA
// do the changes in the openssl.cnf file which is inside the CA folder as suggested
below
[ CA_default ]
dir = ./
certificate = $dir/CA.crt # The CA certificate
private_key = $dir/private/CAKey.pem # The private key
Creation of server certificate:
//make sure you are in the CA folder and not in the Root CA
//create the private key
openssl genrsa -des3 -out server.key 1024
//generate a certificate sign request
openssl req -new -key server.key -out server.csr
//sign the request with the CA
openssl ca -config openssl.cnf -policy policy_anything -out server.crt -infiles server.csr
//Export the Private Key in the .P12 format certificate
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12
//import server.p12 file in personal tab in the IE browser.
//import CA.crt file in Intermediate Certification Authorities tab in the IE browser.
6. //import RootCA.pem file in Trusted Root Certification Authority tab in the IE
browser.
After importing all the certificates you will be able to see 3 level hierarchy as shown
below if you will try to view the certificate of end user usha.
//transform the pkcs12 to a JKS keystore file (server.jks)
java org.mortbay.jetty.security.PKCS12Import server.p12 server.jks
//check the content of keystore, use the following command:
keytool -v -list -keystore server.jks
Create of client certificate:
//Create directory for client
mkdir client
//Create the private key for client
7. openssl genrsa -des3 -out client/client.key 1024
//generate a certificate sign request
openssl req -new -key client/client.key -out client/client.csr
//sign the request with the CA
openssl ca -config openssl.cnf -policy policy_anything -out client/client.crt -infiles
client/client.csr
//Export the Private Key in the .P12 format certificate
openssl pkcs12 -export -in client/client.crt -inkey client/client.key -out client/client.p12
//Generate the client keystore as follows
java org.mortbay.jetty.security.PKCS12Import ./client/client.p12 ./client/client.jks
Creating and populating a trust-store for Tomcat:
//Create dummy keychain as follows
keytool -genkey -alias dummy -keyalg RSA -keystore truststore.jks
//delete the alias dummy, to have an empty trust-store:
keytool -delete -alias dummy -keystore truststore.jks
//import our CA public key with the help of command given below
keytool -import -v -trustcacerts -alias my_ca -file RootCA.pem -keystore truststore.jks