Créer la CA Intermédiaire
Mise en place CA Intermediaire sur debian avec OpenSSL
Une CA intermédiaire sert de relais entre la CA racine et les certificats finaux (serveurs, clients, etc.). Son principal intérêt est de protéger la clé privée de la CA racine en la gardant hors ligne et inutilisée autant que possible.
La CA intermédiaire signe les certificats et améliore la sécurité, si une CA intermédiaire est compromise, la CA racine reste intacte, limitant l’impact.
Je créer toute l’arborescence:
cd CA
mkdir Intermediaire-CA
cd Intermediaire-CA
mkdir certs crl newcerts private csr
touch index.txt
echo 1000 > crlnumber
echo 1000 > serial
chmod 700 privateOn obtient alors cette arborescence:
└── Intermediaire-CA
├── certs
├── crl
├── crlnumber
├── csr
├── index.txt
├── newcerts
├── openssl_racine.cnf
├── private
├── serialCréation du fichier de configuration openssl_intermediaire.cnf
openssl_intermediaire.cnf
[ ca ] # The default CA section
default_ca = CA_default # The default CA name
[ CA_default ] # Default settings for the intermediate CA
dir = /home/flo/CA/Intermediaire-CA # Intermediate CA directory
certs = $dir/certs # Certificates directory
crl_dir = $dir/crl # CRL directory
new_certs_dir = $dir/newcerts # New certificates directory
database = $dir/index.txt # Certificate index file
serial = $dir/serial # Serial number file
RANDFILE = $dir/private/.rand # Random number file
private_key = $dir/private/Intermediaire-CA.key.pem # Intermediate CA private key
certificate = $dir/certs/Intermediaire-CA.cert.pem # Intermediate CA certificate
crl = $dir/crl/intermediaire.crl.pem # Intermediate CA CRL
crlnumber = $dir/crlnumber # Intermediate CA CRL number
crl_extensions = crl_ext # CRL extensions
default_crl_days = 30 # Default CRL validity days
default_md = sha256 # Default message digest
preserve = no # Preserve existing extensions
email_in_dn = no # Exclude email from the DN
name_opt = ca_default # Formatting options for names
cert_opt = ca_default # Certificate output options
policy = policy_loose # Certificate policy
[ policy_loose ] # Policy for less strict validation
countryName = optional # Country is optional
stateOrProvinceName = optional # State or province is optional
localityName = optional # Locality is optional
organizationName = optional # Organization is optional
organizationalUnitName = optional # Organizational unit is optional
commonName = supplied # Must provide a common name
emailAddress = optional # Email address is optional
[ req ] # Request settings
default_bits = 2048 # Default key size
distinguished_name = req_distinguished_name # Default DN template
string_mask = utf8only # UTF-8 encoding
default_md = sha256 # Default message digest
x509_extensions = v3_intermediaire_ca # Extensions for intermediaire CA certificate
prompt = no
[ req_distinguished_name ] # Template for the DN in the CSR
countryName = FR
stateOrProvinceName = France
localityName = France
0.organizationName = Flodocs
organizationalUnitName = Flodocs
commonName = Flodocs Intermediaire CA
emailAddress = test@test.fr
[ v3_intermediaire_ca ] # Intermediate CA certificate extensions
subjectKeyIdentifier = hash # Subject key identifier
authorityKeyIdentifier = keyid:always,issuer # Authority key identifier
basicConstraints = critical, CA:true, pathlen:0 # Basic constraints for a CA
keyUsage = critical, digitalSignature, cRLSign, keyCertSign # Key usage for a CA
[ crl_ext ] # CRL extensions
authorityKeyIdentifier=keyid:always # Authority key identifier
[ server_cert ] # Server certificate extensions
basicConstraints = CA:FALSE # Not a CA certificate
nsCertType = server # Server certificate type
keyUsage = critical, digitalSignature, keyEncipherment # Key usage for a server cert
extendedKeyUsage = serverAuth # Extended key usage for server authentication purposes (e.g., TLS/SSL servers).
authorityKeyIdentifier = keyid,issuer # Authority key identifier linking the certificate to the issuer's public key.
subjectAltName = @alt_names # Include SAN extension with alt names
[ alt_names ]
IP.1 = IP
DNS.1 = FQDNGénération de la clé privée RSA
openssl genrsa -aes256 -out ~/CA/Intermediaire-CA/private/Intermediaire-CA.key.pem 4096
Enter PEM pass phrase: mdp
Verifying - Enter PEM pass phrase: mdp
chmod 400 ~/CA/Intermediaire-CA/private/Intermediaire-CA.key.pemGénération d’une demande de signature de certificat (CSR)
openssl req -config ~/CA/Intermediaire-CA/openssl_intermediaire.cnf -key ~/CA/Intermediaire-CA/private/Intermediaire-CA.key.pem -new -sha256 -out ~/CA/Intermediaire-CA/csr/Intermediaire-CA.csr.pemSignature du certificat par la CA Racine (création du certificat CA Intermediaire)
La CA Intermediaire devrait avoir une durée de validité plus courte que la CA Racine.
openssl ca -config ~/CA/Racine-CA/openssl_racine.cnf -extensions v3_intermediaire_ca -days 3650 -notext -md sha256 -in ~/CA/Intermediaire-CA/csr/Intermediaire-CA.csr.pem -out ~/CA/Intermediaire-CA/certs/Intermediaire-CA.cert.pem
Using configuration from /home/flo/CA/Racine-CA/openssl_racine.cnf
Enter pass phrase for /home/flo/CA/Racine-CA/private/Racine-CA.key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Feb 5 19:21:25 2025 GMT
Not After : Feb 3:21:25 2035 GMT
Subject:
countryName = FR
stateOrProvinceName = France
organizationName = Flodocs
organizationalUnitName = Flodocs
commonName = Flodocs Intermediaire CA
X509v3 extensions:
X509v3 Subject Key Identifier:
15:D8:00:1B:A4:3A:8E:41:FE:98:AC:73:74:6C:A4:DA:39:B5:8D:74
X509v3 Authority Key Identifier:
48:05:B0:E6:D4:1D:69:C9:12:65:D1:5C:75:AF:0B:EE:01:22:A1:13
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Certificate is to be certified until Feb 3 19:21:25 2035 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Database updated
chmod 444 ~/CA/Intermediaire-CA/certs/Intermediaire-CA.cert.pemLe fichier index.txt est l’endroit où OpenSSL stocke la base de données des certificats. Ne supprimez ni ne modifiez ce fichier manuellement. Il devrait désormais contenir une ligne faisant référence au certificat intermédiaire
Racine-CA/index.txt
V 350514192125Z 1000 unknown /C=FR/ST=France/O=Flodocs/OU=Flodocs/CN=Flodocs Intermediaire CADernière modification