Skip to main content

How do I configure a CA and sign certificates using OpenSSL in Red Hat Enterprise Linux? (RedHat © )

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • openssl

Resolution

Configuring the Certificate Authority

1. Set up /etc/pki/CA as your certificate authority's working directory. To do this, open /etc/pki/tls/openssl.cnf in a text editor. Find the section labelled "[CA_default]", and edit the following lines in the section to read:
dir = /etc/pki/CA
certificate = $dir/my-ca.crt
crl = $dir/my-ca.crl
private_key = $dir/private/my-ca.key
2. The "[req_distinguished_name]" section lists several default options you may want to change. For example, you may want to set new defaults for C, ST, L, and O to appropriate values for your organization, such as:
countryName_default =US
stateOrProvinceName_default = North Carolina
localityName_default = Raleigh
organizationName_default = Example, Inc.
3. Create some supporting directories for certificates and CRLs: The /etc/pki/CA directory should be owned as root.root and have permissions 0700. It should contain a private subdirectory with the same permissions:
# mkdir /etc/pki/CA/{certs,crl,newcerts}
4. Create an empty certificate index:
# touch /etc/pki/CA/index.txt
5. In addition, create a file to indicate the next certificate serial number to be issued:
# echo 01 > /etc/pki/CA/serial
6. Next, while in /etc/pki/CA, you need to generate a private key and a self-signed CA certificate. You will be prompted for a passphrase, which will be needed later:
# (umask 077; openssl genrsa -out private/my-ca.key -des3 2048)
7. For your CA certificate, take the defaults for CountryName, StateOrProvinceName, LocalityName, and Organization, and for CommonName use"$hostname Certificate Authority". Set the other fields as you see fit:
# openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt
The /etc/pki/CA/private/my-ca.key file is the private key for your CA. This file must be very carefully protected. The my-ca.crt file is the public CA certificate that will eventually be distributed to your users.
At this point your CA is ready to sign certificates and can sign CSR (Certificate Signing Request) generated by different applications like LDAP, Dovecot, and Apache

Signing CA certificate using the Certificate Authority

  1. Create a private key for the service from the application server
    #  openssl genrsa 1024 > ldap_server.key
    Make sure to set correct permissions for the key (It should not be world readable)
  2. Create the certificate signing request
    # openssl req -new -key ldap_server.key  -out ldap_server.csr
    Fill CountryName, StateOrProvinceName, LocalityName, and Organization when prompted, make sure to use the FQDN of the host for CommonName
  3. Copy the CSR to openssl CA server.
  4. Use openssl ca command to sign the CSR.
    # openssl ca -config <path_toopenssl.cnf> -out ldap_server.crt -infiles ldap_server.csr
  5. Copy the signed certificate to the server, Configure the server to use the singed certificate.

Installing CA certificate on the Clients

The clients require the CA certificate to trust the server certificates signed by this CA, copy/import the CA certificate to the clients.
For example, ldap clients expects the CA certificate to be present under /etc/openldap/cacerts directory, If apache server is configured to use SSL using the CA signed cert, the CA certificate has to be imported to the web browser.

Make CA certificate available to Clients

The CA may make its public certificate easily downloadable by clients. You can use httpd to do that.
1. Install httpd
# yum install httpd
2. Start httpd:
# chkconfig httpd on; service httpd start
3. Copy my-ca.crt in /var/www/html/certs
# cp /etc/pki/CA/my-ca.crt /var/www/html/certs

Comments

Post a Comment

Popular posts from this blog

memory error detect XSCF uboot

If you see something like this when you poweron you server: memory error detect 80000008, address 000002d0 data 55555555 -> fbefaaaa capture_data hi fbefaaaa lo deadbeef ecc 1b1b capture_attributes 01113001 address 000002d0 memory error detect 80000008, address 000002d4 data aaaaaaaa -> deadbeef capture_data hi fbefaaaa lo deadbeef ecc 1b1b capture_attributes 01113001 address 000002d4 memXSCF uboot  01070000  (Feb  8 2008 - 11:12:19) XSCF uboot  01070000  (Feb  8 2008 - 11:12:19) SCF board boot factor = 7180     DDR Real size: 256 MB     DDR: 224 MB Than your XSCF card is broked. Replace it with new one. After that it will ask you for enter chassis number - located at front of the server XSCF promt to enter your chasses number ( is a S/N of your server ): Please input the chassis serial number : XXXXXXX 1:PANEL Please select the number : 1 Restoring data from PANEL to XSCF#0. Please wait for several minutes ... setdefaults : XSCF clear : start ......
1 comment
Read more

FOS Password recovery (Brocade Fabric OS Switch Password recovery procedure)

Password recovery using root account If you have access to the root account, you can reset the passwords on the switch to default. This feature is available for all currently supported versions of the Fabric OS. Follow the below steps to reset any account password from the root account. 1. Open a CLI session (serial or telnet for an unsecured system and sectelnet for a secure system) to the switch. 2. Log in as root. 3. At the prompt, enter the passwddefault command as shown below: switch:root> passwddefault 4. Follow the prompts to reset the password for the selected account. For example: switch:root> passwddefault All account passwords have been successfully set to factory default. Once the passwords have been reset, log into the switch as admin, and modify your default passwords. Make sure to keep a hardcopy of your switch passwords in a secure location. The default passwords for Fabric OS switches are: Root fibranne Adminpassword Userpassword Password r
4 comments
Read more

SPARC OBP cheatsheet

Boot PROM Basics Boot PROM(programmable read only memory): It is a firmware (also known as the monitor program) provides: 1. basic hardware testing & initialization before booting. 2. contains a user interface that provide access to many important functions. 3. enables the system to boot from wide range of devices. It controls the system operation before the kernel becomes available. It provides a user interface and firmware utility commands known as FORTH command set. These commands include the boot commands, the diagnostic commands & the commands for modifying the default configuration. Command to determine the version of the Open Boot PROM on the system: # /usr/platform/'uname -m'/sbin/prtdiag -v (output omitted) System PROM revisions: ---------------------- OBP 4.16.4 2004/12/18 05:21 Sun Blade 1500 (Silver) OBDIAG 4.16.4.2004/12/18 05:21 # prtconf -v OBP 4.16.4 2004/12/18 05:21 Open Boot Architectures Standards: It is based on IEEE standard #1275, accord
Post a Comment
Read more