OpenSSL Creating a Private Certificate Authority: Difference between revisions

From UNIX Systems Administration
Jump to navigation Jump to search
No edit summary
Line 1: Line 1:
__FORCETOC__
__FORCETOC__
== Red Hat Enterprise Linux/CentOS ==
== Red Hat Enterprise Linux/CentOS ==
#Move to the Certificate Authority directory.
# Move to the Certificate Authority directory.
##<tt>'''# cd /etc/pki/CA'''</tt>
#:<tt>'''# cd /etc/pki/CA'''</tt>
##<tt>'''# mkdir csrs'''</tt>
#:<tt>'''# mkdir csrs'''</tt>
#Create the index.txt and serial files needed for the Certificate Authority.
# Create the index.txt and serial files needed for the Certificate Authority.
##<tt>'''# touch /etc/pki/CA/index.txt'''</tt>
#:<tt>'''# touch /etc/pki/CA/index.txt'''</tt>
##<tt>'''# touch /etc/pki/CA/serial'''</tt>
#:<tt>'''# touch /etc/pki/CA/serial'''</tt>
##<tt>'''# echo 01 > serial'''</tt>
#:<tt>'''# echo 01 > serial'''</tt>
#Copy the existing openssl.cnf to the Certificate Authority directory.
# Copy the existing openssl.cnf to the Certificate Authority directory.
##<tt>'''# cp /etc/pki/tls/openssl.cnf /etc/pki/CA/.'''</tt>
#:<tt>'''# cp /etc/pki/tls/openssl.cnf /etc/pki/CA/.'''</tt>
#Generate the CA Private Key and CA Certificate:
# Generate the CA Private Key and CA Certificate:
## <tt>'''# cd /etc/pki/CA/'''</tt>
#: <tt>'''# cd /etc/pki/CA/'''</tt>
## <tt>'''# openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 36525'''</tt>
#: <tt>'''# openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 36525'''</tt>
#To sign a CSR.
# To sign a CSR.
##Upload the <tt>'''<certificate signing request>.csr'''</tt> to <tt>'''/etc/pki/CA/csrs/.'''</tt>
##Upload the <tt>'''<certificate signing request>.csr'''</tt> to <tt>'''/etc/pki/CA/csrs/.'''</tt>
##<tt>'''# cd /etc/pki/CA'''</tt>
#:<tt>'''# cd /etc/pki/CA'''</tt>
##<tt>'''# openssl ca -config openssl.cnf -policy policy_anything -out certs/<certificate>.crt -infiles csrs/<certificate signing request>.csr'''</tt>
#:<tt>'''# openssl ca -config openssl.cnf -policy policy_anything -out certs/<certificate>.crt -infiles csrs/<certificate signing request>.csr'''</tt>


== Debian/Ubuntu ==
== Debian/Ubuntu ==

Revision as of 21:15, 13 December 2017

Red Hat Enterprise Linux/CentOS

  1. Move to the Certificate Authority directory.
    # cd /etc/pki/CA
    # mkdir csrs
  2. Create the index.txt and serial files needed for the Certificate Authority.
    # touch /etc/pki/CA/index.txt
    # touch /etc/pki/CA/serial
    # echo 01 > serial
  3. Copy the existing openssl.cnf to the Certificate Authority directory.
    # cp /etc/pki/tls/openssl.cnf /etc/pki/CA/.
  4. Generate the CA Private Key and CA Certificate:
    # cd /etc/pki/CA/
    # openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 36525
  5. To sign a CSR.
    1. Upload the <certificate signing request>.csr to /etc/pki/CA/csrs/.
    # cd /etc/pki/CA
    # openssl ca -config openssl.cnf -policy policy_anything -out certs/<certificate>.crt -infiles csrs/<certificate signing request>.csr

Debian/Ubuntu