PKI Lab$1 Create Root CA

採用 easyrsa 來建立 PKI CA

Step by Step

• Setting vars for Root CA

  export KEY_SIZE=2048
  export CA_EXPIRE=3650
  export KEY_EXPIRE=3650
  export KEY_COUNTRY=”TW”
  export KEY_PROVINCE=”Taiwan”
  export KEY_CITY=”HsinChu”
  export KEY_ORG=”Night9 Studios”
  export KEY_EMAIL=”[email protected]“
  export KEY_OU=”www.night9.cc"
  export KEY_NAME=””
  export KEY_CN=”Night9 Local Authority Root CA”

  • Source
  • 上面的寫法參考許多現有的 Root CA 的寫法, 特別是 KEY_CN KEY_NAME
  • CA_EXPIRE KEY_EXPIRE 建議設長一點, 如果設太短, 只要 Root CA expire 底下的 key 就得全部重簽

• Create Root CA

  source ./vars
  ./build-ca
  <enter>…<enter>

• Check Root CA key and crt

  ls -la ./keys/ca.{key,crt}

• Check Root CA crt Info

  openssl x509 -in ca.crt -text -noout

• Show

  - 因為 Root CA 已經是最上層的, 沒人可以幫他驗證, 所以只能自己簽自己

Reference

• OpenSSL PKI Tutorial
• Create a Public Key Infrastructure Using the easy-rsa Scripts
• 作者：依瑪貓 http://www.imacat.idv.tw/tech/sslcerts.html.zh-tw
• How To Setup a CA
• OpenSSL command line Root and Intermediate CA including OCSP, CRL and revocation