Setting up a CA

To set up a CA, generate a private and public key pair and build a certificate from the public key. This procedure uses OpenSSL to create the CA certificate and sign CSRs. First, set up a file structure and configuration template for the CA.

Creating the Certificate Authority

Create the ca directory along with the private, certs, and conf subdirectories, then populate the required serial and index.txt files.

mkdir -p ca/private ca/certs ca/conf
cd ca
echo '01' > serial
touch index.txt

A configuration template file specifies several configurations settings that cannot be passed from the command line. The following sample configuration file highlights fields of particular interest.

Create the ca/conf/caconfig.cnf file with contents similar to the following:

[ ca ]
default_ca = CA_default
[ CA_default ]
copy_extensions = copy 
dir = /PATH/TO/YOUR/DIR/ca 
serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/certs
certificate = $dir/certs/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 712 
default_md = sha256
preserve = no
email_in_dn = no
x509_extensions = v3_ca
nameopt = default_ca
certopt = default_ca
policy = policy_match
[ policy_match ]
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = sha256 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
# Variable name Prompt string
#------------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------ ------------------------------
0.organizationName_default = Elasticsearch Test Org 
localityName_default = Amsterdam
stateOrProvinceName_default = Amsterdam
countryName_default = NL
emailAddress_default = cacerttest@YOUR.COMPANY.TLD
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash

Copy extensions: Copies all X509 V3 extensions from a Certificate Signing Request into the signed certificate. With the value set to copy, you need to ensure the extensions and their values are valid for the certificate being requested prior to signing the certificate.

CA directory: Add the full path to this newly created CA

Certificate validity period: The default number of days that a certificate signed by this CA is valid for. Note the certificates signed by a CA must expire before the CA certificate expires.

Certificate Defaults: The OrganizationName, localityName, stateOrProvinceName, countryName, and emailAddress fields are informational. The settings in the above example are the defaults for these values.