CreatingPKI

download openssl 

install in C:\OpenSSL-Win64\bin

for some reason if installed in other location it still picks up from this location did not get chance to see why or where to modify

update : C:\OpenSSL-Win64\bin\openssl.cfg

HOME = C:\OpenSSL-Win64

dir = C:/OpenSSL-Win64/bin/PEM/demoCA # Where everything is kept

# For the CA policy

[ policy_match ]

countryName = match

#stateOrProvinceName = match

#organizationName = match

organizationalUnitName = optional

commonName = supplied

emailAddress = optional

used all default configuration 

now create few empty dirs  in  C:\OpenSSL-Win64\bin\PEM\demoCA

• certs

• crl

• newcerts

follow steps in pki section 

http://users.dcc.uchile.cl/~pcamacho/tutorial/crypto/openssl/openssl_intro.html#htoc7

First we must create a certificate for the PKI that will contain a pair of public / private key. The private key will be used to sign the certificates. 

  > openssl req -new -x509 -keyout cakey.pem -out cacert.pem

The pair of keys will be in cakey.pem and the certificate (which does NOT contain the private key, only the public) is saved in cacert.pem. During the execution you will be asked for many informations about your organization (name, country, and so on ...). The private key contained in cakey.pem is encrypted with a password. This file should be put in a very secure place (although it is encrypted). -x509 refers to a standard that defines how information of the certificate is coded. It can be useful to export the certificate of the PKI in DER format as to be able to load it into your browser. 

  > openssl x509 -in cacert.pem -outform DER -out cacert.der

Creation of a user certificate

Now the PKI has got its own pair of keys and certificate, let’s suppose a user wants to get a certificate from the PKI. To do so he must create a certificate request, that will contain all the information needed for the certificate (name, country, ... and the public key of the user of course). This certificate request is sent to the PKI. 

  > openssl req -new -keyout userkey.pem -out usercert-req.pem

Note this command will create the pair of keys and the certificate request. The pair of keys is saved in userkey.pem and the certificate request in usercert-req.pem. The PKI is ready for the next step: signing the certificate request to obtain the user’s certificate. 

NOw  CA has to sign this cert which is us inthis case ... 

> openssl ca -in usercert-req.pem -out usercert.pem 

Using configuration from C:\OpenSSL-Win64\bin\openssl.cfg Loading 'screen' into random state - done Check that the request matches the signature Signature ok Certificate Details:         Serial Number: 288 (0x120)         Validity             Not Before: May  4 00:08:25 2014 GMT             Not After : May  4 00:08:25 2015 GMT         Subject:             countryName               = AU             organizationalUnitName    = home             commonName                = shahbaz             emailAddress              = sknizami@gmail.com         X509v3 extensions:             X509v3 Basic Constraints:                 CA:FALSE             Netscape Comment:                 OpenSSL Generated Certificate             X509v3 Subject Key Identifier:                 61:92:96:99:61:C5:BC:DC:5D:48:67:84:22:FC:65:50:D8:20:12:03             X509v3 Authority Key Identifier:                 DirName:/C=AU/ST=QLD/CN=SSLeay/rsa test CA                 serial:04  Certificate is to be certified until May  4 00:08:25 2015 GMT (365 days) Sign the certificate? [y/n]:y   1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated unable to write 'random state'

usercert.pem is the public certificate signed by the PKI. If you want to import this certificate into your browser you need to convert it in PKCS12 format: 

  > openssl pkcs12 -export -in usercert.pem -inkey userkey.pem > usercert.p12