More from the web

Thursday, 30 July 2015

Creating a Local Certificate Authority, Signing and Requesting Certificates

In this tutorial i will be using CentOS to demonstrate the configuration of OpenSSL as a local certificate authority. Once this is setup you can use this server to sign certificates for other servers on your network. In this example i will also generate a request for signing from the server but in production instances you can/will do this from the requesting server.

1) Find out where the openssl.cnf file is located

which openssl

locate openssl.cnf

2)  Change to the folder containing the openssl.cnf file, make a backup of the file

cd /etc/pki/tls

Use root user for the following

cp openssl.cnf openssl_bkup.cnf

3) Configure cnf file as needed

vi openssl.cnf


dir = ./local-ca or /etc/pki/local-ca

Under the [change req_distinguished_name] heading you can  modify the defaults
as needed (helps in faster option selection but not required)

Modify the opensssl configuration to enable revocation list  

comment out "crlnumber"
should be #crlnumber after change

4) After the configuration edits

mkdir local-ca
cd local-ca
mkdir newcerts
mkdir certs
mkdir req
mkdir private
mkdir crl

echo "01" > serial

touch index.txt

5) Create the CA
cd /etc/pki/local-ca

openssl req -new -x509 -newkey rsa:2048 -keyout private/cakey.pem -out cacert.pem -days 3650

6) Create request for certificate from the Certificate Authority above (different server)

openssl req -new -nodes -newkey rsa:1024 -keyout private/newsecuredserver.key -out req/newsecuredserver.req -days 1095

7) Create the signed Certificate from the request above
openssl ca -policy policy_anything -out certs/newsercuredserver.pem -in req/newsecuredserver.req

ssl certificate is .pem
key files are .key

Backup entire OpenSSL directory

Remember to keep the directory permissions
ls -Fla pki

Create the certificate revocation list

openssl ca -config openssl.cnf -gencrl -out /crl/pem

Revoking Certificates
openssl ca -revoke /System/Library/OpenSSL/groundsweel/certs/mainfinsrvprod/pem

Create new request after revoking the certificate
openssl req -new -nodes -out /System/Library/OpenSSL/mainfinsrvprod/req/mainfinsrvprodnew.req

Create new signed certificate

openssl ca -config /System/Library/OpenSSL/openssl.cnf -policy poilicy_anything -out /System/Library/OpenSSL/main0ca/certs/mainfinsrvprodnew.pem -infiles /System/Library/OpenSSL/main-ca/req/mainfinsrvprodnew.req