Introduction
In this article, I describe how to install the PKI (for a Linux based system).
Once installed, the PKI is made of the following main folders:
– bin: it contains the openssl binary and all the PKI scripts.
– database: it will contain the certificates, private keys, the certificate requests, the certificate chain and the CRL.
– etc: it contains the openssl configuration files wich define the certificates’ and CSR characteristics (fields, algorithm …)
– include: it is the standard openssl include folder (which is used for instance when you compile a code using OpenSSL).
– lib: it is the standard openssl lib folder.
– logs: This folder will contain the logs generated by the script which check certificate expiration.
– openssl: it is the default openssl folder to hold certificates and keys. We don’t use it.
The scripts located in the bin folder provide the following features:
– Create the root Certificate Authority
– Creatie intermediate Certificate Authorities (Server or User)
– Issue SSL Server Certificates
– Issue SSL Client Certificates (User)
– Issue Code Signing Certificates
– Create certificate requests for other PKI (commercial PKI for instance)
– Convert certificates in DER, PEM and PKCS#12
– Renew certificates and authorities
– Revoke certificates
– Create and update the Certificate Revocation List (CRL)
Install the PKI
First of all, you can download the package here.
Then follow these steps:
– Create a folder to hold the PKI (for instance: /app)
– Copy the downloadd package (blpPKI-v1.1.tgz) to the folder you created
– Extract the archive in this folder (tar zxvf blpPKI-v1.1.tgz). This will create the PKI folder with scripts and configuration files.
Configure and initialize your PKI
1. Edit the file PKI/bin/pki.conf in order to set variable APPBASE to your installation folder (/app/PKI in our example) and the filename for the different Certificate Authorities that will be created (root certificate authority – “ca” by default – and the intermediate certificate authorities for servers – “Server_SubCA” by default – and for users – “User_SubCA” by default):
# Setting Base Directory for the PKI
APPBASE=/app/PKI
# Setting PKI subdirectories
PKIDIR=$APPBASE/database
CONFDIR=$APPBASE/etc
LOGDIR=$APPBASE/logs
BINDIR=$APPBASE/bin
# Setting Root Certificate Authority filename (without extension)
CertificateAuthority=ca
ServerCertificateAuthority=Server_SubCA
UserCertificateAuthority=User_SubCA
# Setting PATH
PATH=$APPBASE/bin:$PATH
export PATH
2. Set installation folder in OpenSSL configuration files
– Run the following script from PKI/bin
#./setPKIDIR.sh
3. Set your default values for certificates fields
– Edit the file PKI/bin/setDefaultCertValues.sh
#vi setDefaultCertValues.sh
– Set you own values in the following variables
# Define below your own default values
MY_COUNTRY=’YourCountry’
MY_STATE=’YourState’
MY_CITY=’YourCity’
MY_COMPANY=’YourCompany’
MY_OU=’YourDepartment’
MY_EMAIL=’firstname.lastname@domain.com’
MY_DOMAIN=’yourcompany.org’
MY_COMMENT=”OpenSSL based PKI”
For instance:
MY_COUNTRY=’FR’
MY_STATE=’France’
MY_CITY=’Paris’
MY_COMPANY=’BLP’
MY_OU=’Security Department’
MY_EMAIL=’firstname.lastname@le-piolot.fr’
MY_DOMAIN=’le-piolot.fr’
MY_COMMENT=”BLP Internal PKI”
– Run the following script from PKI/bin
#./setDefaultCertValues.sh
4. Run the initialization script from PKI/bin
#./init-ssl.sh
Creating the directories for the PKI …
Done.
Creating the log directory for the PKI …
Done.
Initializing files …
Done.
Creating random file …
16+0 records in
16+0 records out
16384 bytes (16 kB) copied, 0.00281468 s, 5.8 MB/s
Done.
Initialization Done.
5. Compile and install OpenSSL to the PKI folder
– Donwload the latest release of OpenSSL from http://www.openssl.org/source to a temp folder
– Extract the archive (tar zxvf openssl-1.0.1l.tar.gz)
– Compile OpenSSL with options to install it to your PKI folder (/app/PKI in our example):
./config –prefix=/app/PKI –openssldir=/app/PKI/openssl
make
make test
make install
6. For ease of use, add the PKI/bin folder to the PATH
If you’re using Ubuntu, edit /etc/environment to add the PKI bin folder (for instance: /app/PKI/bin).
7. Assign the file permissions according to your needs
You don’t need to be root to run these scripts.
However, depending on the user wo extracted the archive, you may encounter errors due to incorrect file permissions.
To run these scripts as a standard user, set the correct file permissions recursively to the folder that holds the PKI.
and the intermediate certificate authorities for servers
It is described in the article “openssl PKI – generate certificates with intermediate CA”