SSLeay Environment for Certificate Management

After building and installing SSLeay, but before using it to manage certificates, it is necessary to:
  1. Create the directory structure needed to manage certificates
  2. Modify the SSLeay configuration file appropriately

Creating the Directory Structure for Managing Certificates

Once SSLeay has been installed in the $SSLDIR directory (e.g. /opt/dev/ssl), it is necessary to create directories for certificate management, and to initialize the certificate serial number counter, and the certificate "database" file (index.txt). The scripts and instructions in this cookbook assume that this environment has been established, as follows: 
mkdir ${SSLDIR}/certs 
mkdir ${SSLDIR}/crl 
mkdir ${SSLDIR}/newcerts
mkdir ${SSLDIR}/private
echo "01" > ${SSLDIR}/serial
touch ${SSLDIR}/index.txt

Modifying the SSLeay Configuration File

The SSLeay configuration file (ssleay.cnf) has multiple sections. Each section is used for a different purpose, and the sections include the following:
ca, CA_default
define certificate authority configuration
policy_match, policy_anything
define different request policies
req, req_distinguished_name, req_attributes
define request defaults
These configuration sections must be updated before the certificate authority may be used, especially the "dir" specification in the certificate authority configuration which defines where everything is kept (and should be $SSLDIR).

Certificate Authority Configuration Section

SSLeay Configuration File: Certificate Authority Configuration Section 
RANDFILE		= /opt/dev/ssl/.rand

####################################################################
[ ca ]
default_ca	= CA_default		# The default ca section

####################################################################
[ CA_default ]

dir		= /opt/dev/ssl		# Where everything is kept
certs		= $dir/certs		# Where the issued certs are kept
crl_dir		= $dir/crl			# Where the issued crl are kept
database		= $dir/index.txt		# database index file.
new_certs_dir	= $dir/newcerts		# default place for new certs.

certificate	= $dir/private/CAcert.pem 	# The CA certificate
serial		= $dir/serial 		# The current serial number
crl		= $dir/clr/crl.pem 		# The current CRL
private_key	= $dir/private/CAkey.pem	# The private key
RANDFILE		= $dir/private/.rand	# private random number file

x509_extensions		= x509v3_extensions	# The extentions to add to the cert
default_days		= 365		# how long to certify for
default_crl_days= 30			# how long before next CRL
default_md	= md5			# which md to use.
preserve	= no			# keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy		= policy_match

Certificate Request Policy Section

The policy section of the configuration file is used to define different certificate request signing policies. The examples here include the most lenient policy ("policy_anything") and a stricter policy ("policy_match") which restricts the values of certificate fields. The policy is used when considering signing a certificate request. "Match" means that the value of the field in the request must match the value in the CA certificate, or the request will not be signed. "Optional" means the the field need not be present, while "supplied" means that it must be present in the certificate request.
SSLeay Configuration File: Certificate Policy Section 
# For the CA policy
[ policy_match ]
countryName		= match
stateOrProvinceName	= match
localityName	= match
organizationName	= match
organizationalUnitName	= match
commonName		= supplied
emailAddress		= optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

Certificate Request Defaults Section

The "req" section of the configuration file is used when creating certificate requests, and supplies defaults and length limits for the various distinguished name fields. Some of these fields (e.g. commonName) will be different for each certificate request, while others will use the default (e.g. countryName). In our examples the "req" section has the following configuration:
SSLeay Configuration File: Certificate Request Section 
[ req ]
default_bits		= 512
default_keyfile 	= privkey.pem
distinguished_name	= req_distinguished_name
attributes		= req_attributes

[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= US
countryName_min			= 2
countryName_max			= 2

stateOrProvinceName		= State or Province Name (full name)
stateOrProvinceName_default	= MA

localityName			= Locality Name (eg, city)
localityName_default		= Cambridge

organizationName		= Organization Name (eg, company)
organizationName_default	= The Open Group

organizationalUnitName		= Organizational Unit Name (eg, section)
organizationalUnitName_default	= Research Institute

commonName			= Common Name (eg, YOUR name)
commonName_default		= example.opengroup.org
commonName_max			= 64

emailAddress			= Email Address
emailAddress_max		= 40
emailAddress_default		= ssl_admin@opengroup.org

[ req_attributes ]
challengePassword		= A challenge password
challengePassword_min		= 4
challengePassword_max		= 20
Cookbook