How do I configure a CA and sign certificates using OpenSSL in Red Hat Enterprise Linux? (RedHat © )
Environment
- Red Hat Enterprise Linux 5
- Red Hat Enterprise Linux 6
- openssl
Resolution
- Configuring the Certificate Authority
- Signing Certificates using the Certificate Authority
- Installing CA certificate on the Clients
- Make CA certificate available to Clients
Configuring the Certificate Authority
1. Set up
/etc/pki/CA
as your certificate authority's working directory. To do this, open /etc/pki/tls/openssl.cnf
in a text editor. Find the section labelled "[CA_default]
", and edit the following lines in the section to read:dir = /etc/pki/CA
certificate = $dir/my-ca.crt
crl = $dir/my-ca.crl
private_key = $dir/private/my-ca.key
2. The "
[req_distinguished_name]
" section lists several default options you may want to change. For example, you may want to set new defaults for C, ST, L, and O to appropriate values for your organization, such as:countryName_default =US
stateOrProvinceName_default = North Carolina
localityName_default = Raleigh
organizationName_default = Example, Inc.
3. Create some supporting directories for certificates and CRLs: The
/etc/pki/CA
directory should be owned as root.root
and have permissions 0700
. It should contain a private subdirectory with the same permissions:# mkdir /etc/pki/CA/{certs,crl,newcerts}
4. Create an empty certificate index:
# touch /etc/pki/CA/index.txt
5. In addition, create a file to indicate the next certificate serial number to be issued:
# echo 01 > /etc/pki/CA/serial
6. Next, while in
/etc/pki/CA
, you need to generate a private key and a self-signed CA certificate. You will be prompted for a passphrase, which will be needed later:# (umask 077; openssl genrsa -out private/my-ca.key -des3 2048)
7. For your CA certificate, take the defaults for CountryName, StateOrProvinceName, LocalityName, and Organization, and for CommonName use"$hostname Certificate Authority". Set the other fields as you see fit:
# openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt
The
/etc/pki/CA/private/my-ca.key
file is the private key for your CA. This file must be very carefully protected. The my-ca.crt
file is the public CA certificate that will eventually be distributed to your users.
At this point your CA is ready to sign certificates and can sign CSR (Certificate Signing Request) generated by different applications like LDAP, Dovecot, and Apache
Signing CA certificate using the Certificate Authority
- Create a private key for the service from the application server
# openssl genrsa 1024 > ldap_server.key
Make sure to set correct permissions for the key (It should not be world readable) - Create the certificate signing request
# openssl req -new -key ldap_server.key -out ldap_server.csr
Fill CountryName, StateOrProvinceName, LocalityName, and Organization when prompted, make sure to use the FQDN of the host forCommonName
- Copy the CSR to openssl CA server.
- Use openssl ca command to sign the CSR.
# openssl ca -config <path_toopenssl.cnf> -out ldap_server.crt -infiles ldap_server.csr
- Copy the signed certificate to the server, Configure the server to use the singed certificate.
Installing CA certificate on the Clients
The clients require the CA certificate to trust the server certificates signed by this CA, copy/import the CA certificate to the clients.
For example, ldap clients expects the CA certificate to be present under /etc/openldap/cacerts directory, If apache server is configured to use SSL using the CA signed cert, the CA certificate has to be imported to the web browser.
Make CA certificate available to Clients
The CA may make its public certificate easily downloadable by clients. You can use httpd
to do that.
1. Install
httpd
# yum install httpd
2. Start
httpd
:# chkconfig httpd on; service httpd start
3. Copy
my-ca.crt in /var/www/html/certs
# cp /etc/pki/CA/my-ca.crt /var/www/html/certs
Comments
Post a Comment