More from the web

Thursday, 30 July 2015

Creating a Local Certificate Authority, Signing and Requesting Certificates


In this tutorial i will be using CentOS to demonstrate the configuration of OpenSSL as a local certificate authority. Once this is setup you can use this server to sign certificates for other servers on your network. In this example i will also generate a request for signing from the server but in production instances you can/will do this from the requesting server.

1) Find out where the openssl.cnf file is located

which openssl

locate openssl.cnf



2)  Change to the folder containing the openssl.cnf file, make a backup of the file

cd /etc/pki/tls


Use root user for the following


cp openssl.cnf openssl_bkup.cnf



3) Configure cnf file as needed

vi openssl.cnf

change

dir = ./local-ca or /etc/pki/local-ca

Under the [change req_distinguished_name] heading you can  modify the defaults
as needed (helps in faster option selection but not required)



Modify the opensssl configuration to enable revocation list  

comment out "crlnumber"
should be #crlnumber after change





4) After the configuration edits

mkdir local-ca
cd local-ca
mkdir newcerts
mkdir certs
mkdir req
mkdir private
mkdir crl

echo "01" > serial

touch index.txt



5) Create the CA
cd /etc/pki/local-ca

openssl req -new -x509 -newkey rsa:2048 -keyout private/cakey.pem -out cacert.pem -days 3650




6) Create request for certificate from the Certificate Authority above (different server)

openssl req -new -nodes -newkey rsa:1024 -keyout private/newsecuredserver.key -out req/newsecuredserver.req -days 1095



7) Create the signed Certificate from the request above
openssl ca -policy policy_anything -out certs/newsercuredserver.pem -in req/newsecuredserver.req



ssl certificate is .pem
key files are .key

Backup
Backup entire OpenSSL directory
/etc/pki

Remember to keep the directory permissions
ls -Fla pki

Create the certificate revocation list

openssl ca -config openssl.cnf -gencrl -out /crl/pem

Revoking Certificates
openssl ca -revoke /System/Library/OpenSSL/groundsweel/certs/mainfinsrvprod/pem

Create new request after revoking the certificate
openssl req -new -nodes -out /System/Library/OpenSSL/mainfinsrvprod/req/mainfinsrvprodnew.req

Create new signed certificate

openssl ca -config /System/Library/OpenSSL/openssl.cnf -policy poilicy_anything -out /System/Library/OpenSSL/main0ca/certs/mainfinsrvprodnew.pem -infiles /System/Library/OpenSSL/main-ca/req/mainfinsrvprodnew.req






2 comments:

  1. Benefits of casino games - Curaçao Casino
    Benefits of casino games in a casino are 메리트 카지노 쿠폰 usually based on luck and good luck, and as you become acquainted with these, it 메리트 카지노 is highly unlikely 인카지노 that they are

    ReplyDelete
  2. The King Casino | Ventureberg
    Discover the rise and fall of the septcasino king ventureberg.com/ casino, 1xbet app one of the world's largest The Casino is operated by the King Casino aprcasino Group. novcasino You can

    ReplyDelete