OpenSSL as a CA without touching the certs/crl/index/etc environment

Question

I think I have the right OpenSSL command to sign a certificate but I've gotten stuck and the tutorials I've found use a different argument format (I'm using OpenSSL 0.9.8o 01 Jun 2010).

openssl ca -cert cert.pem -keyfile key.pem

(Private key is not encryped and CSR is on stdin.)

It gives this error

Using configuration from /usr/lib/ssl/openssl.cnf ./demoCA/index.txt: No such file or directory unable to open './demoCA/index.txt' 

Looking at that configuration file:

[ ca ] default_ca = CA_default    # The default ca section  [ CA_default ] dir      = ./demoCA        # Where everything is kept certs    = $dir/certs      # Where the issued certs are kepp crl_dir  = $dir/crl        # Where the issued crl are kept database = $dir/index.txt  # database index file. 

I don't have any of this set up. I don't want to set any of this up.

Is it strictly nessecary, or is there a "don't bother" option?

I tried creating empty directories and files but I've got in a tangle. What I really want is for a command like the above to work, with the output on stdout, without touching anything on the filesystem.

Answer 1

I don't know of any "don't bother" options, but here is how you can setup a quick demo CA:

#!/bin/bash CAROOT=/path/to/ca mkdir -p ${CAROOT}/ca.db.certs   # Signed certificates storage touch ${CAROOT}/ca.db.index      # Index of signed certificates echo 01 > ${CAROOT}/ca.db.serial # Next (sequential) serial number  # Configuration cat>${CAROOT}/ca.conf<<'EOF' [ ca ] default_ca = ca_default  [ ca_default ] dir = REPLACE_LATER certs = $dir new_certs_dir = $dir/ca.db.certs database = $dir/ca.db.index serial = $dir/ca.db.serial RANDFILE = $dir/ca.db.rand certificate = $dir/ca.crt private_key = $dir/ca.key default_days = 365 default_crl_days = 30 default_md = md5 preserve = no policy = generic_policy [ generic_policy ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional EOF  sed -i "s|REPLACE_LATER|${CAROOT}|" ${CAROOT}/ca.conf  cd ${CAROOT}  # Generate CA private key openssl genrsa -out ca.key 1024  # Create Certificate Signing Request openssl req -new -key ca.key  \                  -out ca.csr         # Create self-signed certificate openssl x509 -req -days 10000 \               -in ca.csr      \               -out ca.crt     \               -signkey ca.key 

Now you can generate and sign keys:

# Create private/public key pair openssl genrsa -out server.key 1024  # Create Certificate Signing Request openssl req -new -key server.key \                  -out server.csr  # Sign key openssl ca -config ${CAROOT}/ca.conf   \            -in server.csr              \            -cert ${CAROOT}/ca.crt      \            -keyfile ${CAROOT}/ca.key   \            -out server.crt