Setting up an in-house CA with GSKit
About this task
The CA needs a private key and corresponding self-signed certificate for signing and issuing user certificates. These two items are created and kept in a PKCS #12 keystore which is created and owned by the CA itself.
Procedure
-
Create an empty keystore for the CA:
$ gsk8capicmd -keydb -create -db rootCA1.p12 -pw r1passwd -type p12The command creates an empty keystore in file "rootCA1.p12" with password "r1passwd". The "gsk8capicmd" utility can handle keystores of different formats. The option "-type p12" specifies the PKCS #12 format for the new keystore.
-
Create a root CA certificate and private key in the keystore:
$ mydn="C=US,ST=Florida,L=Anytown,O=Acme Software Inc.,OU=Database CA," $ mydn=${mydn}"CN=Database CA Root1/emailAddress=dba_ca1@acme.info" $ gsk8capicmd -cert -create -db rootCA1.p12 -pw r1passwd -label rootCA1 \ > -dn "${mydn}" -size 2048 -ca true -sigalg SHA256WithRSAAs the certificate must be a root CA certificate, the command used creates a self-signed certificate and implicitly the corresponding private key in the keystore "rootCA1.p12". To access the keystore, the password "r1passwd" is provided. The label (aka "friendly name") of the new certificate is "rootCA1". This label name is later used to refer to this certificate for further operations.
The option "-dn ..." specifies the distinguished subject name of the certificate owner. As this is a self-signed certificate, the issuer name automatically is the same as the subject name. For convenience, the longish subject name is given as the variable "${mydn}", defined by the previous two shell commands. A distinguished name consists of several fields like country, state, location, organization, organizational unit, common name, etc. The fields are composed of the field specifier, '=', and the field value string. "C=US" therefore means field "country" has the value "US". The fields are separated by comma. Note that the individual fields have a maximum length. E.g. the country field can only have two characters for the 2-letter country code.
The size of the private key is given as 2048 bit. The option "-ca true" includes the X509 version 3 extension "basicConstraints" with the attribute values "critical" and "ca = true". The option "-sigalg SHA256WithRSA" specifies the signature algorithm "SHA256WithRSASignature" to be used for the certificate. These three options ensure that the certificate is compatible with different crypto libraries, especially for newer versions.
The following command can be used to list the content of the keystore:$ gsk8capicmd -cert -list -db rootCA1.p12 -pw r1passwd Certificates found * default, - personal, ! trusted, # secret key - rootCA1The certificate with label "rootCA1" is listed as a "personal" certificate, because it is associated with its corresponding private key in the keystore.
Details on the certificate with label "rootCA1" can be obtained with this command:$ gsk8capicmd -cert -details -db rootCA1.p12 -pw r1passwd -label rootCA1 Label : rootCA1 Key Size : 2048 Version : X509 V3 Serial : 7c15e9d031ea7f9d Issuer : "CN=Database CA Root1/emailAddress\=dba_ca1@acme.info,OU=Database CA,O=Acm Subject : "CN=Database CA Root1/emailAddress\=dba_ca1@acme.info,OU=Database CA,O=Ac Not Before : November 13, 2022 8:28:24 AM CST Not After : November 14, 2023 8:28:24 AM CST Public Key 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 ... Public Key Type : RSA (1.2.840.113549.1.1.1) Fingerprint : SHA1 : 89 A0 58 49 20 71 94 C0 9F 7C 4E 2B FE 7A E3 37 E8 30 50 24 Fingerprint : MD5 : 4F 06 3C E8 43 E6 5A 7F 80 34 C1 AA A8 89 62 DA Fingerprint : SHA256 : 32 66 16 B2 F0 9E DB C9 AC 45 7D 01 D6 78 C2 62 BE 22 AA 00 5C 01 5C 98 84 E4 B9 E9 B5 0C D6 0B Fingerprint : HPKP : 09J+0fhn2zKr3z4Oy7YEq+UO72Wr/2PPHJIkKyeI060= Extensions basicConstraints ca = true critical SubjectKeyIdentifier keyIdentifier: 28 D0 B2 DD E3 F9 26 06 C9 56 76 5E 17 5E 0A 21 C4 9A 85 46 AuthorityKeyIdentifier keyIdentifier: 28 D0 B2 DD E3 F9 26 06 C9 56 76 5E 17 5E 0A 21 C4 9A 85 46 authorityIdentifier: authorityCertSerialNumber: Signature Algorithm : SHA256WithRSASignature (1.2.840.113549.1.1.11) Value 55 3F 85 B3 06 AE E8 C8 37 B7 09 35 D1 C4 15 9FAs a root CA certificate, it is self-signed. Therefore, subject name and issuer name are the same. For the same reason, the X509 version 3 extensions SubjectKeyIdentifier and AuthorityKeyIdentifier also are the same. The "Extension" named "basicConstraints" has two attributes, "ca = true" and "critical". The attribute "ca = true" makes sure that this certificate can be use to sign new certificates, as well as to validate them later. By default, the new certificate is valid for one year, beginning with the time of the certificate creation. A different validity period can be specified with the option "-expire
". However, the start time of the validity is always the time of the certificate creation. (In fact, the start time is one day earlier to avoid otherwise possible issues with different time zones.) -
Extract the root CA certificate (without private key) into a PEM file:
$ gsk8capicmd -cert -extract -db rootCA1.p12 -pw r1passwd -label rootCA1 \ > -target rootCA1.cert.pem -format asciiThe command extracts the certificate with label name "rootCA1" from the keystore file "rootCA1.p12". To access this keystore, password "r1passwd" is provided. The certificate is written in PEM format, as specified with option "-format ascii" into the file "rootCA1.cert.pem". This PEM file is later used to add the root CA certificate to the keystores of the database server and database client. When signing user certificates with this "rootCA1" keystore, the "rootCA1" certificate extracted here then should be distributed to the users together with the newly issued user certificate.