Implementing a Simple PKI with OpenSSL

This project demonstrates a basic PKI setup with a Root CA and a Server Certificate
using OpenSSL.
Step 1: Create a directory structure:
mkdir pki
cd pki
mkdir root-ca
mkdir intermediate-ca
mkdir server
mkdir certs

Step 2: Generate the Root CA private key:

openssl genrsa -aes256 -out root-ca/private/ca.key 4096

Explanation:
 openssl genrsa: This command generates a new RSA private key.

 -aes256: Encrypts the private key with AES-256 for security.

 -out root-ca/private/ca.key: Specifies the output file for the private key.

 4096: Sets the key size to 4096 bits (recommended for strong security).

Step 3: Generate the Root CA certificate:

openssl req -x509 -new -key root-ca/private/ca.key -out
root-ca/certs/ca.crt \
-subj "/C=US/ST=Virginia/L=Ashburn/O=Your Organization Name/CN=Root CA" \
-days 3650

Explanation:
 openssl req: This command generates a certificate request.
 -x509: Creates a self-signed certificate (Root CA).

 -new: Indicates a new certificate is being generated.

 -key root-ca/private/ca.key: Specifies the Root CA private key.

 -out root-ca/certs/ca.crt: Specifies the output file for the Root CA

certificate.
 -subj: Defines the subject information for the certificate.

 -days 3650: Sets the certificate validity period to 10 years.

Step 4: Generate the Intermediate CA private key:

openssl genrsa -aes256 -out intermediate-ca/private/intermediate.key 4096

Step 5: Generate the Intermediate CA certificate:

openssl req -new -key intermediate-ca/private/intermediate.key \
-out intermediate-ca/csr/intermediate.csr \
-subj "/C=US/ST=Virginia/L=Ashburn/O=Your Organization
Name/CN=Intermediate CA"
openssl ca -config root-ca/openssl.cnf -in
intermediate-ca/csr/intermediate.csr \
-out intermediate-ca/certs/intermediate.crt -days 3650

Explanation:
 We first generate the private key for the Intermediate CA.
 Then, we create a CSR for the Intermediate CA.
 Finally, we use the Root CA private key and configuration file (openssl.cnf) to
sign the CSR and issue the Intermediate CA certificate.
Step 6: Generate the Server private key:
openssl genrsa -aes256 -out server/private/server.key 4096

Step 7: Generate the Server certificate:

openssl req -new -key server/private/server.key \
-out server/csr/server.csr \
-subj "/C=US/ST=Virginia/L=Ashburn/O=Your Organization
Name/CN=server.example.com"
openssl ca -config intermediate-ca/openssl.cnf -in server/csr/server.csr \
-out server/certs/server.crt -days 3650

Explanation:
 We follow the same process as the Intermediate CA to generate the Server
private key and CSR.
 We then use the Intermediate CA private key and configuration file to sign the
Server CSR and issue the Server certificate.
Step 8: Create a certificate chain:
cat server/certs/server.crt intermediate-ca/certs/intermediate.crt root-
ca/certs/ca.crt > certs/chain.pem

Explanation:
 This command combines the Server certificate, Intermediate CA certificate, and
Root CA certificate into a single file called chain.pem. This file is used by clients
to verify the server's certificate chain.
Step 9: Configure the server (optional):
 Configure your server to use the server certificate and private key for secure
communication.
 Install the chain.pem file on the server for clients to verify the certificate chain.
Additional Notes:
 This is a basic PKI setup. You can further customize it by adding more
Intermediate CAs, defining specific certificate policies, and implementing
Certificate Revocation Lists (CRLs).
 Remember to keep your private keys highly secure and follow best practices for
PKI management.
 Consider using configuration files (openssl.cnf) to manage complex PKI setups.
This project provides a basic understanding of PKI implementation with OpenSSL. You
can further explore the OpenSSL documentation and tutorials for more advanced
configurations and features.