I’m currently studying for my CS finals so I’ll make this brief.
Alice likes to buy things from Bob’s website. However there are many impersonators out there pretending to be Bob who are more than happy to take Alice’s money. Alice and Bob both trust Charlie. Charlie doesn’t like the situation Alice and Bob are in so he decides to become a Certificate Authority (CA).
Charlie soon realizes that becoming a CA is actually quite easy and involves typing a few commands into a terminal. Because Charlie is very organized, he begins by creating 3 directories:
charlie$ mkdir keys csrs certs
First Charlie generates a 2048-bit RSA key:
charlie$ openssl genrsa -aes128 -out keys/charlie.key 2048
Next Charlie creates a certificate signing request:
charlie$ openssl req -new -key keys/charlie.key -out csrs/charlie.csr
Charlie then responds to his own certificate signing request by creating and signing his own certificate:
charlie$ openssl x509 -req -days 365 -in csrs/charlie.csr -signkey keys/charlie.key -out certs/charlie.crt
Charlie now has the following files: a key, a certificate signing request (CSR), and a cert which is valid for the next 365 days. Charlie can now delete the CSR if he wants, since he now has his shiny new cert, although he might want to keep it for when he’ll need to create a new certificate in a years time. Charlie is almost in business. There’s just one more step. Since he’ll be making lots of certificates and issuing them to lots of people and legal entities, he’ll need a way of keeping track of the serial number he gives each certificate, to ensure he doesn’t use the same serial number twice.
Since the self-signed certificate Charlie just created is his first, it makes sense that if his next one is his own plus one, they’ll be easy to track, and he’ll have an easy way of counting how many certificates he’s issued. Charlie creates a file called
certs/charlie.srl, which contains his own cert’s serial number:
charlie$ echo $(openssl x509 -in certs/charlie.crt -noout -text | egrep Serial -A1 | tail -n1 | sed -e 's/[^a-f0-9]//g') > certs/charlie.srl
This file will be looked after by OpenSSL and incremented every time Charlie creates a new certificate. Charlie is now a CA! Bob now wants to get certified by Charlie. Bob is also very organized and makes some directories to organise his work:
bob$ mkdir keys csrs certs
Bob generates a 2048-bit RSA key:
bob$ openssl genrsa -aes128 -out keys/bob.key 2048
Next Bob creates a CSR:
bob$ openssl req -new -key keys/bob.key -out csrs/bob.csr
Bob sends the CSR to Charlie. Charlie now creates the certificate:
charlie$ openssl x509 -req -in csrs/bob.csr -CA certs/charlie.crt -CAkey keys/charlie.key -out certs/bob.crt
Charlie sends the cert to Bob and Alice can now reliably identify Bob! Next time Alice visits Bob’s website, she downloads his certificate and checks that it is indeed Bob:
alice$ openssl x509 -in certs/bob.crt -noout -text