By DarrenMoffat on Apr 30, 2008
With the recently added ability to sign PKCS#10 certificate request files the pktool(1) command of OpenSolaris can be used as a very simple Certificate Authority, similar to what can be done with the openssl(1) command but in my opinion in a much clearer way and actually providing stronger security. I'll outline the basic commands below but some external "database" will be needed to keep the serial number count and some other state needed to be a useful CA.
First Generate root CA - this is by definition self-signed
admin$ pktool gencert keystore=file outcert=myCA \\ subject="CN=test,DC=EXAMPLE,DC=COM" serial=0x1 outkey=myCA.key
Generate a user CSR in PKCS#10 format
user$ pktool gencsr keystore=file outcsr=sample.p10 \\ subject="CN=darren,OU=people,DC=EXAMPLE,DC=COM" outkey=sample.keyThe user then sends the PKCS#10 certificate request to the administrator for signing.
Sign the PKCS#10 CSR with the root CA
admin$ pktool signcsr keystore=file signkey=myCA.key csr=sample.p10 \\ outcert=sample.cert format=pem serial=0x1001 issuer="CN=small-CA,DC=EXAMPLE,DC=COM"
Increasing the CA securityThe above example stores the master CA key in a file but we can do better than that and store it in a PKCS#11 accessible hardware keystore. It would looks something like this:
admin$ pktool gencert keystore=pkcs11 label=myCA \\ subject="CN=test,DC=EXAMPLE,DC=COM" serial=0x1 Enter PIN for Sun Software PKCS#11 softtoken :
We now have the key in a PKCS#11 accessible keystore that is PIN protected, the sign operation is almost the same:
admin$ pktool signcsr keystore=pkcs11 signkey=myCA csr=sample.p10 \\ outcert=sample.cert format=pem serial=0x1001 \\ issuer="CN=small-CA,DC=EXAMPLE,DC=COM" Enter PIN for Sun Software PKCS#11 softtoken :
Note that we didn't explicitly specify the PKCS#11 token to use but pktool(1) allows us to do so.
Similarly the user can use a PKCS#11 keystore when they run gencert.