I had to deal with S/MIME-certificates a lot recently. Even though i conecptionally do know about public key cryptography and certificates I rarely had to deal with openssl. So i took some time and worked through this tutorial by jamielinux.com about creating a private public key infrastructure comprising of a root ca and a intermediary ca. I accompanied my reading with the writing of a shell script that basically is the extraction of the shell script included in the tutorial. To make it run you should also download this file. It consists of the two openssl configuration files mentioned in jamie linux‘ tutorial. Fire up the script and you get a root ca and three intermediary ca’s.

#!/bin/sh
 
#
# Author: Matthias
#
 
set -x
 
BASE=$(pwd)
ROOT_DIR=${BASE}/PKI_0/ROOT
ROOT_KEY=private/ca.key.pem
ROOT_CERT=certs/ca.cert.pem
KEYSIZE=2048
ENCRYPT=
#ENCRYPT=-aes256
 
mkdir -p ${ROOT_DIR}
cd ${ROOT_DIR}
mkdir certs crl newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial
cp -v ${BASE}/resources/openssl-root.cnf openssl.cnf
sed -i -e "s#%ROOT_DIR%#${ROOT_DIR}#" openssl.cnf
 
# create the root key
 
echo "#"
echo "# Creating encrypted key-pair"
echo "#"
 
openssl genrsa ${ENCRYPT} -out ${ROOT_KEY} ${KEYSIZE}
chmod 400 ${ROOT_KEY}
 
# create certificate from root key and personal data
 
echo "#"
echo "# Creating certificate"
echo "#"
 
openssl req -config openssl.cnf \
        -key ${ROOT_KEY} \
        -new -x509 -days 7300 -sha256 -extensions v3_ca \
        -out ${ROOT_CERT} \
        -subj "/C=DE/ST=NRW/L=Aachen/O=Private/OU=NA/CN=Ernie/emailAddress=ernie@sesamstreet.com"
 
#
# Verify the root certificate
#
 
echo "Do you want to verify the certificate (y/n)?"
read -n 1
 
if [[ ${REPLY} == "y" ]] ; then
    echo "#"
    echo "# Verifying certificate"
    echo "#"
    openssl x509 -noout -text -in ${ROOT_CERT}
fi
 
for INDEX in 0 1 2 ; do
 
    INTERMEDIATE_DIR=${BASE}/PKI_0/INTERMEDIARIES/${INDEX}
    INTERMEDIATE_KEY=${INTERMEDIATE_DIR}/private/intermediate.key.pem
    INTERMEDIATE_CSR=${INTERMEDIATE_DIR}/csr/intermediate.csr.pem
    INTERMEDIATE_CERT=${INTERMEDIATE_DIR}/certs/intermediate.cert.pem
 
    mkdir -p ${INTERMEDIATE_DIR}
    cd ${INTERMEDIATE_DIR}
    mkdir certs crl csr newcerts private
    chmod 700 private
    touch index.txt
    echo 1000 > serial
    cp -v ${BASE}/resources/openssl-intermediate.cnf openssl.cnf
    sed -i -e "s#%ROOT_DIR%#${INTERMEDIATE_DIR}#" openssl.cnf
    echo 1000 > ${INTERMEDIATE_DIR}/crlnumber
 
    # create the intermediate key
 
    echo "#"
    echo "# Creating encrypted key-pair"
    echo "#"
 
    cd ${ROOT_DIR}
    openssl genrsa ${ENCRYPT} -out ${INTERMEDIATE_KEY} ${KEYSIZE}
    chmod 400 ${INTERMEDIATE_KEY}
 
    # create certificate from root key and personal data
 
    echo "#"
    echo "# Creating intermediate certificate"
    echo "#"
 
    cd ${ROOT_DIR}
    openssl req -config ${INTERMEDIATE_DIR}/openssl.cnf \
            -new -sha256 \
            -key ${INTERMEDIATE_KEY} \
            -out ${INTERMEDIATE_CSR} \
            -subj "/C=DE/ST=NRW/L=Aachen/O=Private/OU=NA/CN=Dummy Intermediate ${INDEX}/emailAddress=intermediate_${INDEX}@dummy.local"
 
    cd ${ROOT_DIR}
    openssl ca -config openssl.cnf -extensions v3_intermediate_ca \
            -days 3650 -notext -md sha256 \
            -in ${INTERMEDIATE_CSR} \
            -out ${INTERMEDIATE_CERT}
 
    chmod 444 ${INTERMEDIATE_CERT}
 
    # Verify the interemediate certificate
    #
 
    echo "Do you want to verify the intermediate certificate (y/n)?"
    read -n 1
 
    if [[ ${REPLY} == "y" ]] ; then
        echo "#"
        echo "# Verifying certificate"
        echo "#"
        openssl x509 -noout -text -in ${INTERMEDIATE_CERT}
        openssl verify -CAfile ${ROOT_CERT} ${INTERMEDIATE_CERT}
    fi
 
done
 
################
#              #
# End of file  #
#              #
################

If you are still reading your are propably very interested in certificates and s/mime. I have one more thing to share – I have collected a couple of information about related rfcs and some terminology. The information is partly copied from a stackoverflow answer. Basically a list of who is who in s/mime related rfc’s. Click here to go there.