Tutorial to create 3-level Hierarchical Trust ModelConfiguration://copy the openssl directory in any location, here we will copy in Desktop// Set the path for opensslLinux:export PATH = $PATH:Path_of_opensslWindows:go to myComputer->right click on the myComputer icon->go to Properties->go toAdvanced tab->go to environment variable->in the user variables window click on new-> write PATH on the variable name and write the path of the openssl/bin in thevariable value.Windows vista:go to myComputer->right click on the myComputer icon->go to Properties->go toAdvanced system settings->continue->go to Advanced tab->go to environmentvariable-> in the user variables window click on new-> write PATH on the variablename and write the path of the openssl/bin in the variable value.//make the folder/directory in the C drive named ssl with heirarchy /usr/local/ssl andcopy the openssl.cnf file from openssl folder to the ssl directory.Creation of ROOT CA://Create a folder/directory for ROOT CA in any location by below command , anyname can be given but here we are giving name RootCA and we are creating in Desktop.mkdir RootCA//check whether directory got created or not with the below commandLinux:ls-lWindowsdir//go inside the directory with the below given commandcd RootCA
//make directories inside the ROOT CA directory with the help of below givencommand to keep the certificates what we will be generatingmkdir certs crl newcerts private//check whether directories got created or not with the below commandLinux:ls-lWindowsdir//make an empty text file named as index.txtLinux:vim index.txtWindows:edit index.txtorRight click in the RootCA folder somewhere and create the new file named as index.txt//make an text file named serial and write serial no inside it with the following commandLinux:echo 01 > serialWindows:echo 01 > serial//copy openssl.cnf file from openssl folder to RootCA folder//generate a private keyopenssl genrsa -des3 -out private/RootCA.key 1024//create a self-signed certificate using private keyopenssl req -new -x509 -nodes -sha1 -days 1825 -key private/RootCA.key -outRootCA.pem
//do the following changes in openssl.cnf file which is inside RootCA folderIn openssl.cnf file change following: basic constraints: FALSE to basic constraints: TRUE[ CA_default ]dir = ./certificate = $dir/RootCA.pem # The CA certificateprivate_key = $dir/private/RootCA.key # The private keyCreation of CA:// be inside the ROOT CA Directory and create directory /folder for CA, any name canbe given but here we are giving the name CAmkdir CA//go inside the CA directory with the following commandcd CA// copy the openssl.cnf file from openssl folder to CA folder// make the directories inside the CA directory to keep the certificates for CAmkdir certs crl newcerts private//check whether directories got created or not with the below commandLinux:ls-lWindowsdir//make an empty text file named as index.txt
Linux:vim index.txtWindows:edit index.txtorRight click in the CA folder somewhere and create the new file named as index.txt//make an text file named serial and write serial no inside it with the following commandLinux:echo 01 > serialWindows:echo 01 > serial//generate the CA key:openssl genrsa -des3 -out private/CAKey.pem 1024//generate a signing request (valid for 1year)openssl req -new -sha1 -key private/CAKey.pem -out CA.csr//copy the sign request CA.csr from CA directory to the ROOT CA directory .//come out of CA directory with the help of following commandcd ..//now you will be in the ROOT CA directory so sign the request using the followingcommandopenssl ca -extensions v3_ca -days 365 -out CA.crt -in CA.csr -config openssl.cnf//Copy CA.crt from Root CA to CA folder
//go inside the CA folder with the following commandcd CA// do the changes in the openssl.cnf file which is inside the CA folder as suggestedbelow [ CA_default ]dir = ./certificate = $dir/CA.crt # The CA certificateprivate_key = $dir/private/CAKey.pem # The private keyCreation of server certificate://make sure you are in the CA folder and not in the Root CA//create the private keyopenssl genrsa -des3 -out server.key 1024//generate a certificate sign requestopenssl req -new -key server.key -out server.csr//sign the request with the CAopenssl ca -config openssl.cnf -policy policy_anything -out server.crt -infiles server.csr//Export the Private Key in the .P12 format certificateopenssl pkcs12 -export -in server.crt -inkey server.key -out server.p12//import server.p12 file in personal tab in the IE browser.//import CA.crt file in Intermediate Certification Authorities tab in the IE browser.
//import RootCA.pem file in Trusted Root Certification Authority tab in the IEbrowser.After importing all the certificates you will be able to see 3 level hierarchy as shownbelow if you will try to view the certificate of end user usha.//transform the pkcs12 to a JKS keystore file (server.jks)java org.mortbay.jetty.security.PKCS12Import server.p12 server.jks//check the content of keystore, use the following command:keytool -v -list -keystore server.jksCreate of client certificate://Create directory for clientmkdir client//Create the private key for client
openssl genrsa -des3 -out client/client.key 1024//generate a certificate sign requestopenssl req -new -key client/client.key -out client/client.csr//sign the request with the CAopenssl ca -config openssl.cnf -policy policy_anything -out client/client.crt -infilesclient/client.csr//Export the Private Key in the .P12 format certificateopenssl pkcs12 -export -in client/client.crt -inkey client/client.key -out client/client.p12//Generate the client keystore as followsjava org.mortbay.jetty.security.PKCS12Import ./client/client.p12 ./client/client.jksCreating and populating a trust-store for Tomcat://Create dummy keychain as followskeytool -genkey -alias dummy -keyalg RSA -keystore truststore.jks//delete the alias dummy, to have an empty trust-store:keytool -delete -alias dummy -keystore truststore.jks//import our CA public key with the help of command given belowkeytool -import -v -trustcacerts -alias my_ca -file RootCA.pem -keystore truststore.jks