0

I have set the directory in the /etc/ssl/openssl.cnf file but every time I issue the command 

openssl req -x509 -newkey rsa:4096 -keyout cakey.pem -out cacert.pem -days 3650

it places the files in the root directory of the directory I'm working in.

[ CA_default ]

dir     = /home/will/myCA   # Where everything is kept
certs       = $dir/certs        # Where the issued certs are kept
crl_dir     = $dir/crl      # Where the issued crl are kept
database    = $dir/index.txt    # database index file.
#unique_subject = no            # Set to 'no' to allow creation of
                    # several certs with same subject.
new_certs_dir   = $dir/newcerts     # default place for new certs.

certificate = $dir/cacert.pem   # The CA certificate
serial      = $dir/serial       # The current serial number
crlnumber   = $dir/crlnumber    # the current crl number
                    # must be commented out to leave a V1 CRL
crl     = $dir/crl.pem      # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE    = $dir/private/.rand    # private random number file

x509_extensions = usr_cert      # The extensions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt    = ca_default        # Subject Name options
cert_opt    = ca_default        # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions    = crl_ext

default_days    = 365           # how long to certify for
default_crl_days= 30            # how long before next CRL
default_md  = default       # use public key default MD
preserve    = no            # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy      = policy_match

If the directories were working I should expect this

Generating a 2048 bit RSA private key
.................................+++
.................................................................................................+++
writing new private key to '/home/will/myCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----

writing new private key to '/home/will/myCA/private/cakey.pem'

I have upgraded my version of OpenSSL directly from the website using the binaries and is now installed under /etc/local/ssl. Unfortunately I still don't understand why the files I am generating with OpenSSL are not being sorted into folders/directories.

Does anybody know why the default directories are not working?

Many thanks

Will

UPDATE 11:00 30/05/2019

I have ran the command 

openssl req -x509 -newkey rsa:4096 -days 3650

but it just prints the key inside the terminal window and doesn't output to a file.

I added -noout to the command but the file has saved it saved itself at ~privkey.pem and not in the direcory I set in the openssl.cnf file /home/will/demoCA.

I have noticed the file is saved in the working directory that terminal is open in.

using the command openssl version -d is shows the default location of the configuration file I set the directories in OPENSSLDIR: "/usr/local/ssl"

Improve this question
4
  • Aren't you explicitly specify the output files with -keyout cakey.pem -out cacert.pem? Commented May 30, 2019 at 9:29
  • Yes My first command I issued was 'openssl req -x509 -newkey rsa:4096 -keyout cakey.pem -out cacert.pem -days 3650'. I was expecting the cakey.pem to stay in the root directory and the cakey.pem to go into the 'private' directory. Commented May 30, 2019 at 9:44
  • @muru so instead I would have to use something like this 'openssl req -x509 -newkey rsa:4096 -days 3650'?? Commented May 30, 2019 at 9:47
  • 1
    Oh, wait. Your config file has [ CA_defaults ]. That's for the openssl ca command. openssl req config goes in the [req] section. See phildev.net/ssl/opensslconf.html Commented May 30, 2019 at 10:19

1 Answer 1

Reset to default
1

The files pointed to by [ CA_defaults ] are used internally by the openssl ca command.

If you look inside the new_certs_dir you would see all certificates signed by the CA when using the openssl ca command, with filenames consisting of the certificate serial number with .pem appended.

As you're using openssl req those files aren't used.

The man page for the req command has this to say:

-out filename

This specifies the output filename to write to or standard output by default.

It will therefore write to the filename given, and located in the directory from which you're running the command; or it will write to standard output.

-keyout filename

This gives the filename to write the newly created private key to. If this option is not specified then the filename present in the configuration file is used.

This will write to the filename given, again located in the directory from which you're running the command; or it will write to the filename given in the default_keyfile option (under [ req ] of course).

In both cases, you could give the absolute path to the files in your commands if you don't want them placed in the current directory.

The structure you've configured in the .conf file will work when you use the openssl ca command to sign a request from a subordinate (CA or end-entity). However to get it to the stage where you can sign certificates, it needs the CA certificate and key in place. Your openssl req command generates those. To get sensible values in the CA certificate you need to add more to your .conf file.

Something similar to the following should get you started:

[ req ]

# Don't prompt for the DN, use configured values instead
# This saves having to type in your DN each time.

prompt             = no
string_mask        = default
distinguished_name = req_dn

# The size of the keys in bits:
default_bits       = 4096

[ req_dn ]

countryName            = GB
stateOrProvinceName    = Somewhere
organizationName       = Example
organizationalUnitName = PKI
commonName             = Example Test Root CA

[ ca_ext ]

# Extensions added to the request

basicConstraints =  critical, CA:TRUE
keyUsage =          critical, keyCertSign, cRLSign

Create the CA certificate with a slightly modified version of your previous command:

openssl req -x509 -newkey rsa:4096 -keyout /home/will/myCA/private/cakey.pem -out /home/will/myCA/cacert.pem -days 3650 -nodes -config <path-to>/openssl.cnf -extensions ca_ext

Note: you only need the -config option if you're not using/editing the default config file.

If everything works, you'll have the correct certificate and key in place for your CA config above. Before you can sign any certificates with the openssl ca command, you'll need to make sure index.txt exists and create serial with an initial serial number (such as 01).

OpenSSL is the Swiss-Army knife of crypto therefore has many options. Unfortunately, reading the man pages is the only way to get to understand it.

Improve this answer
1
  • Mind me asking so I can get this correct how do you I organise all the files and folders properly? I'm trying to create my own CA which will be used to sign other certificates and I don't want all of the files scattered across the root directory that I working from. In regards to your reply, is the CA_DEFAULTS section there to point newly signed certificates to the CA root certificate and private key? Commented May 30, 2019 at 16:34

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.