Jump to Navigation

281 - Create Private CA (Certificate Authority)

For a web-server to be able to accept 'https://' requests, a private/public key-pair (for Apache2 w/ mod_ssl) needs to be generated
and stored in the proper location(s). To create a self-signed private/public 1024 bit key-pair that will be valid for 365 days...

1. Create a private CA

# cd /etc/pki
# mkdir myCA
# cp tls/misc/CA myCA/
# cp tls/openssl.cnf myCA/
# echo 01 > myCA/crlnumber

2. Edit /etc/pki/myCA/CA

# vi /etc/pki/myCA/CA

=================================================================

SSLEAY_CONFIG="-config /etc/pki/ntcCA/openssl.cnf"   <--- Modify
DAYS="-days 365"        # 1 year
CADAYS="-days 1095"     # 3 years
REQ="$OPENSSL req $SSLEAY_CONFIG"
CA="$OPENSSL ca $SSLEAY_CONFIG"
VERIFY="$OPENSSL verify"
X509="$OPENSSL x509"

CATOP=/etc/pki/myCA     <--- *** Modify

..............

-newca)
            $CA -out ${CATOP}/$CACERT $CADAYS -batch \
                           -extensions v3_ca \              <---- *** Add
                           -keyfile ${CATOP}/private/$CAKEY -selfsign \
                           -infiles ${CATOP}/$CAREQ

=================================================================

 

3. Modify openssl.cnf

# vi /etc/pki/myCA/openssl.cnf

=================================================================

[ CA_default ]
dir             = /etc/pki/myCA        # Where everything is kept

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = US
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = California

localityName                    = Locality Name (eg, city)
localityName_default            = Irvine

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = My Company Ltd.

.............

[ usr_cert ]

basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

.............

#nsComment         = "OpenSSL Generated Certificate"  <--- *** Comment out.

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

.............

[ v3_ca ]

keyUsage = cRLSign, keyCertSign     <---- *** Delete the comment.

=================================================================

4. Generate private key, public key and self certificate

# cd /etc/pki/myCA
# ./CA -newca

# mv careq.pem certs/00.pem
# openssl ca -config openssl.cnf -gencrl -out crl.pem

========================================================
CA Certificate - cacert.pem, newcerts/00.pem
CA Private Key - private/cakey.pem
CA request Certificate - certs/00.pem

5. Create a signed certificate

# cd /etc/pki/myCA
# ./CA -newreq

Generating a 1024 bit RSA private key
.........++++++
........................................................................................++++++
writing new private key to newreq.pem
Enter PEM pass phrase: (Enter pass phase)
Verifying - Enter PEM pass phrase: (Enter pass phase)
.......

# ./CA -sign

........
Using configuration from /etc/pki/myCA/openssl.cnf
Enter pass phrase for /etc/pki/myCA/private/cakey.pem: (Enter pass phase)
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 3 (0x3)

...............

Signed certificate is in newcert.pem

=========================================================

# ls newcerts
01.pem  02.pem  03.pem  (Search a latest number and select it)
# mv newreq.pem certs/03.pem
# mv newkey.pem private/03.pem
# rm newcert.pem

# openssl x509 -in newcerts/03.pem -out server.crt
# openssl rsa -in private/03.pem -out server.key
Enter pass phrase for private/03.pem:  (Enter the pass phase )

SSLCertificateFile    - server.crt
SSLCertificateKeyFile - server.key

6. Configure private.key and Certificate

# vi /etc/httpd/conf.d/ssl.conf

SSLCertificateFile /etc/pki/myCA/server.crt
SSLCertificateKeyFile /etc/pki/myCA/server.key

7. Restart Apache Server

# service httpd restart

 



Main menu 2

Story | by Dr. Radut