How to setup your own Certificate Authority
                ===========================================


Note: this howto requires the openssl binary, as well as classic
UNIX tools (cat, touch, echo). If you use Windows, please consider
installing Cygwin -- see http://cygwin.com/


    1. Configure OpenSSL
    --------------------

First of all, create sslconf.txt in the current directory
(a basic example is provided at the end of this file).

cat > sslconf.txt <<"EOF"
[paste contents here]
EOF

Then you need to create the database and a starting serial number:

touch index
echo "01" > serial
mkdir newcerts


    2. Generate the CA certificate
    ------------------------------

openssl req -config sslconf.txt -days 3653 -x509 -newkey rsa:2048 \
            -set_serial 0 -text -keyout test-ca.key -out test-ca.crt


    3. Generate the private keys and certificate requests
    -----------------------------------------------------

openssl genrsa -out server1.key 2048
openssl genrsa -out server2.key 2048
openssl genrsa -out client1.key 2048
openssl genrsa -out client2.key 2048

openssl req -config sslconf.txt -new -key server1.key -out server1.req
openssl req -config sslconf.txt -new -key server2.key -out server2.req
openssl req -config sslconf.txt -new -key client1.key -out client1.req
openssl req -config sslconf.txt -new -key client2.key -out client2.req


    4. Issue and sign the certificates
    ----------------------------------

openssl ca -config sslconf.txt -in server1.req -out server1.crt
openssl ca -config sslconf.txt -in server2.req -out server2.crt
openssl ca -config sslconf.txt -in client1.req -out client1.crt
openssl ca -config sslconf.txt -in client2.req -out client2.crt


    5. To revoke a certificate and update the CRL
    ---------------------------------------------

openssl ca -config sslconf.txt -revoke server1.crt
openssl ca -config sslconf.txt -revoke client1.crt
openssl ca -config sslconf.txt -gencrl -out crl.pem


    6. To display a certificate and verify its validity
    ---------------------------------------------------

openssl x509 -in server2.crt -text -noout
cat test-ca.crt crl.pem > ca_crl.pem
openssl verify -CAfile ca_crl.pem -crl_check server2.crt
rm ca_crl.pem


    7. To export a certificate into a .pfx file
    -------------------------------------------

openssl pkcs12 -export -in client2.crt -inkey client2.key \
                      -out client2.pfx


##================================================================
##============== Example OpenSSL configuration file ==============
##================================================================

#  References:
#
#  /etc/ssl/openssl.conf
#  http://www.openssl.org/docs/apps/config.html
#  http://www.openssl.org/docs/apps/x509v3_config.html

[ ca ]
default_ca              = my_ca

[ my_ca ]
certificate             = test-ca.crt
private_key             = test-ca.key
database                = index
serial                  = serial

new_certs_dir           = newcerts
default_crl_days        = 60
default_days            = 730
default_md              = sha1
policy                  = my_policy
x509_extensions         = v3_usr

[ my_policy ]
countryName             = optional
stateOrProvinceName     = optional
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
distinguished_name      = my_req_dn
x509_extensions         = v3_ca

[ my_req_dn ]
countryName             = Country Name..............
countryName_min         = 2
countryName_max         = 2
stateOrProvinceName     = State or Province Name....
localityName            = Locality Name.............
0.organizationName      = Organization Name.........
organizationalUnitName  = Org. Unit Name............
commonName              = Common Name (required)....
commonName_max          = 64
emailAddress            = Email Address.............
emailAddress_max        = 64

[ v3_ca ]
basicConstraints        = CA:TRUE
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer:always

[ v3_usr ]
basicConstraints        = CA:FALSE
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer