OpenSSL Creating a Private Certificate Authority: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
(8 intermediate revisions by the same user not shown) | |||
Line 3: | Line 3: | ||
# Move to the Certificate Authority directory. | # Move to the Certificate Authority directory. | ||
#:<tt>'''# cd /etc/pki/CA'''</tt> | #:<tt>'''# cd /etc/pki/CA'''</tt> | ||
#:<tt>'''# mkdir csrs'''</tt> | #:<tt>'''# mkdir /etc/pki/CA/{csrs,private,crl,newcerts,certs}'''</tt> | ||
# Create the index.txt and serial files needed for the Certificate Authority. | # Create the index.txt and serial files needed for the Certificate Authority. | ||
#:<tt>'''# touch /etc/pki/CA/index.txt'''</tt> | #:<tt>'''# touch /etc/pki/CA/index.txt'''</tt> | ||
Line 13: | Line 13: | ||
#: <tt>'''# cd /etc/pki/CA/'''</tt> | #: <tt>'''# cd /etc/pki/CA/'''</tt> | ||
#: <tt>'''# openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 36525'''</tt> | #: <tt>'''# openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 36525'''</tt> | ||
# To sign a CSR. | #Enable SubjectAltName. | ||
##Locate the <tt>'''[ proxy_cert_ext ]'''</tt> stanza. | |||
##Uncomment <tt>'''subjectAltName=email:copy'''</tt> and <tt>'''subjectAltName=email:move'''</tt> lines. | |||
#To sign a CSR. | |||
##Upload the <tt>'''<certificate signing request>.csr'''</tt> to <tt>'''/etc/pki/CA/csrs/.'''</tt> | ##Upload the <tt>'''<certificate signing request>.csr'''</tt> to <tt>'''/etc/pki/CA/csrs/.'''</tt> | ||
#:<tt>'''# cd /etc/pki/CA'''</tt> | #:<tt>'''# cd /etc/pki/CA'''</tt> | ||
#:<tt>'''# openssl ca -config openssl.cnf -policy policy_anything -out certs/<certificate>.crt -infiles csrs/<certificate signing request>.csr'''</tt> | #:<tt>'''# openssl ca -config openssl.cnf -policy policy_anything -out certs/<certificate>.crt -infiles csrs/<certificate signing request>.csr'''</tt> | ||
Latest revision as of 03:35, 15 November 2020
Red Hat Enterprise Linux/CentOS
- Move to the Certificate Authority directory.
- # cd /etc/pki/CA
- # mkdir /etc/pki/CA/{csrs,private,crl,newcerts,certs}
- Create the index.txt and serial files needed for the Certificate Authority.
- # touch /etc/pki/CA/index.txt
- # touch /etc/pki/CA/serial
- # echo 01 > serial
- Copy the existing openssl.cnf to the Certificate Authority directory.
- # cp /etc/pki/tls/openssl.cnf /etc/pki/CA/.
- Generate the CA Private Key and CA Certificate:
- # cd /etc/pki/CA/
- # openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 36525
- Enable SubjectAltName.
- Locate the [ proxy_cert_ext ] stanza.
- Uncomment subjectAltName=email:copy and subjectAltName=email:move lines.
- To sign a CSR.
- Upload the <certificate signing request>.csr to /etc/pki/CA/csrs/.
- # cd /etc/pki/CA
- # openssl ca -config openssl.cnf -policy policy_anything -out certs/<certificate>.crt -infiles csrs/<certificate signing request>.csr