Crear un certificado para una Autoridad de Certificación que posteriormente esta AC

emita certificados de usuarios.

Usuarios – podrán crear su par de claves publica y privada y solicitar un certificado la
AC anterior

OpenSSL

Comandos:

X509
Genkey
genrsa
Req

CREAR CERTIFICADOS:

Administrador@MacBook-de-Administrador /Users % sudo openssl genpkey -aes128 -

algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out Kpr_CA.pem
.......+.+.........+.....+....+++++++++++++++++++++++++++++++++++++++++++++*.+...+.......
+..+.......+...+......+++++++++++++++++++++++++++++++++++++++++++++*......+............
+...+..+++++
..+...+.+..+++++++++++++++++++++++++++++++++++++++++++++*...+......+......+++++++
++++++++++++++++++++++++++++++++++++++*..+.+...+........+....+..............+.......+...+......
+.....+.............+..+.............+.....+.......+...........+.......+...+..+...+...+..........+.....+.+..............
+................+.........+...........+.+..+...+.............+..+....+...+......+..+...+....+......+...........+....+...........
+..........+......+............+............+...+.....+..........+...+.....+...+................+........+.......+......+........+....
+......+..+........................+....+......+...........+....+.....+...+.+.....+......+...+.+..+..........+.........+...
+...............+........+.......+......+....................+......+...+......................+.....+.........+.+.......................
+.......+.........+......+.......................+......+.........+.+.....................+.........+.....+.......+.....
+..........................................+.+......+..................+........+...+....+......+..+.........+......+...............+...
+................+...............+..............+.......+..+......+.+...+........+...+..........+.........+......+..
+.........................+...+............+.....+...+.+...........+..................+....+..+...................+.....+.......+..+.
+.....+......+.+.........+.....+...+.............+.........+.....+....+..+.......+........+....+...+..+...+.............+........
+.+.........+......+.....+....+..+...+......................+.............................+........................+.+...
+..................+........+.+......+..................+..+.......+...............+..+......+...+.+...........+...
+........................+.+..............+...+.......+.....................+...........+......+...+....+...+........+.........+.
+............+.........+...+........+.........+.+..............+...+.......+.....+...................+......+...+..+.........
+.........+...+...+.......+.........+......+.................+.......+...........+.......+...+........+.+........
+............................+.........+.....+.+.....+.........+....+..............+..........+........+..........+..+...............+.
+..+.......................................+.+...+...............+.....+..........+......+......+..+.......+.....+.............+..+...
+......+.......+...+.....+...............................+......+............+...+........+.+..............+....+...........+..........
+............+.................+.+......+........+.......+.....+...+.+.....+.+.....+.............+...............+......+............
+.....+.........+...+.............+.........+.........+...........+.+..+...+..........+.........+...+......+.....................+...
+..+......+............+...+..........+..+......+.+.....+....+.........+.....+...+.........+.+...+..............+...+............
+.......+...+...+..+.+......+.....+...+...............+.+.................+....+......+......................................+....+...
+........+..........+.....+.+.........+++++
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Administrador@MacBook-de-Administrador /Users % ls
Administrador Kpr_CA.pem clase
Guest Shared clasee
Administrador@MacBook-de-Administrador /Users % openssl req -new -key Kpr_CA.pem -
out CA_request.csr
Could not open file or uri for loading private key from Kpr_CA.pem
00E6C00B01000000:error:8000000D:system library:BIO_new_file:Permission
denied:crypto/bio/bss_file.c:67:calling fopen(Kpr_CA.pem, rb)
00E6C00B01000000:error:10080002:BIO routines:BIO_new_file:system
lib:crypto/bio/bss_file.c:77:
Administrador@MacBook-de-Administrador /Users % sudo openssl req -new -key
Kpr_CA.pem -out CA_request.csr
Password:
Enter pass phrase for Kpr_CA.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:Salamanca
Locality Name (eg, city) []:Salamanca
Organization Name (eg, company) [Internet Widgits Pty Ltd]:UPSA
Organizational Unit Name (eg, section) []:informatica.upsa
Common Name (e.g. server FQDN or YOUR name) []:informatica.upsa.es
Email Address []:upsa@empresa.es

Please enter the following 'extra' attributes

to be sent with your certificate request
A challenge password []:upsa
An optional company name []:upsa
Administrador@MacBook-de-Administrador /Users % ls
Administrador Guest Shared clasee
CA_request.csr Kpr_CA.pem clase
Administrador@MacBook-de-Administrador /Users % openssl x509 -req -in CA_request.csr -
singkey Kpr_CA.pem -out Certificado_CA.cer
x509: Use -help for summary.
Administrador@MacBook-de-Administrador /Users % sudo openssl x509 -req -in
CA_request.csr -singkey Kpr_CA.pem -out Certificado_CA.cer
x509: Use -help for summary.
Administrador@MacBook-de-Administrador /Users % sudo openssl x509 -req -in
CA_request.csr -signkey Kpr_CA.pem -out Certificado_CA.cer
Enter pass phrase for Kpr_CA.pem:
Certificate request self-signature ok
subject=C = ES, ST = Salamanca, L = Salamanca, O = UPSA, OU = informatica.upsa, CN =
informatica.upsa.es, emailAddress = upsa@empresa.es
Administrador@MacBook-de-Administrador /Users % ls
Administrador Guest clase
CA_request.csr Kpr_CA.pem clasee
Certificado_CA.cer Shared
Administrador@MacBook-de-Administrador /Users % openssl genpkey -aes128 -algorithm
RSA -pkeyopt rsa_keygen_bits:2048 -out Kpr_Montse.pem
genpkey: Can't open "Kpr_Montse.pem" for writing, Permission denied
Administrador@MacBook-de-Administrador /Users % sudo openssl genpkey -aes128 -
algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out Kpr_Montse.pem
..+..................+.......+.....+...+.+......+........+....+..+.............+...+..+.+......++++++++++++++++++
+++++++++++++++++++++*...............+......+.+...+...+..+...+..........+...+..+.........+......+....
+.........+..+.......+...+..+++++++++++++++++++++++++++++++++++++++*............+.....+.+.....
+....+.......................+.+..+...............+....+...+.....+..........+...+..+.+......+......+...+..+...+....+...........
+....+..+.+........+.......+...+...........+...+.+..+.......+.....+......+.+...+...........+.++++++
...+..+......+....+...+..+....+.....+......+.+..+...+....+........+.+..............+.+......+.....+.+...+.....+......+.+++
++++++++++++++++++++++++++++++++++++*..+....+........+.+......+.....+.+++++++++++++
++++++++++++++++++++++++++*....+..........+.....................+............+..+.+.....+....+...+.....+.
+............+...+..+....+......+..+................+.....+....+..+.........+....+...+.....+.......+......+...............+......
+........+.+..+........................+...+..........+.................+.+.....+...+......+...+...+....+........+.+.....+....
+.....+..........+.................+.+..+......+.......+..+.......+...+..................+..+.+..+............+...+...+.+.........
+......+........+......+...............+....+...........+.+.....+....+..+...+....+........+............+.+..+...+....+...+..
+.............+........+.+......++++++
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Administrador@MacBook-de-Administrador /Users % sudo openssl req -new -key
Kpr_Montse.pem -out Montse_request.csr
Password:
Enter pass phrase for Kpr_Montse.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:Salamanca
Locality Name (eg, city) []:Santa Marta
Organization Name (eg, company) [Internet Widgits Pty Ltd]:UPSA
Organizational Unit Name (eg, section) []:informatica.upsa
Common Name (e.g. server FQDN or YOUR name) []:informatica.upsa.es
Email Address []:upsa@empresa.es

Please enter the following 'extra' attributes

to be sent with your certificate request
A challenge password []:upsa
An optional company name []:upsa
Administrador@MacBook-de-Administrador /Users % sudo openssl x509 -CA
Certificado_CA.cer -CAkey Kpr_CA.pem -req -in Montse_request.csr -days 100 -
CAcreateserial out certificadoMontse.cer
x509: Use -help for summary.
Administrador@MacBook-de-Administrador /Users % sudo openssl x509 -CA
Certificado_CA.cer -CAkey Kpr_CA.pem -req -in Montse_request.csr -days 100 -
CAcreateserial -out certificadoMontse.cer
Certificate request self-signature ok
subject=C = ES, ST = Salamanca, L = Santa Marta, O = UPSA, OU = informatica.upsa, CN =
informatica.upsa.es, emailAddress = upsa@empresa.es
Enter pass phrase for Kpr_CA.pem:
Administrador@MacBook-de-Administrador /Users % ls
Administrador Guest Shared
CA_request.csr Kpr_CA.pem certificadoMontse.cer
Certificado_CA.cer Kpr_Montse.pem clase
Certificado_CA.srl Montse_request.csr clasee
Administrador@MacBook-de-Administrador /Users %

///

Comprobar que un certificado es válido:

sudo openssl ocsp -issuer USERTrust.cer -issuer GEANT.cer -cert campusvirtual.upsa.es.cer -

url http://GEANT.ocsp.sectigo.com -header "HOST" GEANT.ocsp.sectigo.com
Password:

//
sudo openssl ocsp -issuer USERTrust.cer -issuer GEANT.cer -cert campusvirtual.upsa.es.cer -
url http://GEANT.ocsp.sectigo.com -header host=GEANT.ocsp.sectigo.com