Skip to main content

How do I configure a CA and sign certificates using OpenSSL in Red Hat Enterprise Linux? (RedHat © )

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • openssl

Resolution

Configuring the Certificate Authority

1. Set up /etc/pki/CA as your certificate authority's working directory. To do this, open /etc/pki/tls/openssl.cnf in a text editor. Find the section labelled "[CA_default]", and edit the following lines in the section to read:
dir = /etc/pki/CA
certificate = $dir/my-ca.crt
crl = $dir/my-ca.crl
private_key = $dir/private/my-ca.key
2. The "[req_distinguished_name]" section lists several default options you may want to change. For example, you may want to set new defaults for C, ST, L, and O to appropriate values for your organization, such as:
countryName_default =US
stateOrProvinceName_default = North Carolina
localityName_default = Raleigh
organizationName_default = Example, Inc.
3. Create some supporting directories for certificates and CRLs: The /etc/pki/CA directory should be owned as root.root and have permissions 0700. It should contain a private subdirectory with the same permissions:
# mkdir /etc/pki/CA/{certs,crl,newcerts}
4. Create an empty certificate index:
# touch /etc/pki/CA/index.txt
5. In addition, create a file to indicate the next certificate serial number to be issued:
# echo 01 > /etc/pki/CA/serial
6. Next, while in /etc/pki/CA, you need to generate a private key and a self-signed CA certificate. You will be prompted for a passphrase, which will be needed later:
# (umask 077; openssl genrsa -out private/my-ca.key -des3 2048)
7. For your CA certificate, take the defaults for CountryName, StateOrProvinceName, LocalityName, and Organization, and for CommonName use"$hostname Certificate Authority". Set the other fields as you see fit:
# openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt
The /etc/pki/CA/private/my-ca.key file is the private key for your CA. This file must be very carefully protected. The my-ca.crt file is the public CA certificate that will eventually be distributed to your users.
At this point your CA is ready to sign certificates and can sign CSR (Certificate Signing Request) generated by different applications like LDAP, Dovecot, and Apache

Signing CA certificate using the Certificate Authority

  1. Create a private key for the service from the application server
    #  openssl genrsa 1024 > ldap_server.key
    
    Make sure to set correct permissions for the key (It should not be world readable)
  2. Create the certificate signing request
    # openssl req -new -key ldap_server.key  -out ldap_server.csr
    
    Fill CountryName, StateOrProvinceName, LocalityName, and Organization when prompted, make sure to use the FQDN of the host for CommonName
  3. Copy the CSR to openssl CA server.
  4. Use openssl ca command to sign the CSR.
    # openssl ca -config <path_toopenssl.cnf> -out ldap_server.crt -infiles ldap_server.csr
    
  5. Copy the signed certificate to the server, Configure the server to use the singed certificate.

Installing CA certificate on the Clients

The clients require the CA certificate to trust the server certificates signed by this CA, copy/import the CA certificate to the clients.
For example, ldap clients expects the CA certificate to be present under /etc/openldap/cacerts directory, If apache server is configured to use SSL using the CA signed cert, the CA certificate has to be imported to the web browser.

Make CA certificate available to Clients

The CA may make its public certificate easily downloadable by clients. You can use httpd to do that.
1. Install httpd
# yum install httpd
2. Start httpd:
# chkconfig httpd on; service httpd start
3. Copy my-ca.crt in /var/www/html/certs
# cp /etc/pki/CA/my-ca.crt /var/www/html/certs

Comments

Popular posts from this blog

Solaris. remove unusable scsi lun

Solaris remove unusable or failing scsi lun 1. The removed devices show up as drive not available in the output of the format command: # format Searching for disks...done ................      255. c1t50000974082CCD5Cd249 <drive not available>           /pci@3,700000/SUNW,qlc@0/fp@0,0/ssd@w50000974082ccd5c,f9 ................      529. c3t50000974082CCD58d249 <drive not available>           /pci@7,700000/SUNW,qlc@0/fp@0,0/ssd@w50000974082ccd58,f9 2. After the LUNs are unmapped Solaris displays the devices as either unusable or failing. # cfgadm -al -o show_SCSI_LUN | grep -i unusable # # cfgadm -al -o show_SCSI_LUN | grep -i failing c1::50000974082ccd5c,249       disk         connected    configured   failing c3::50000974082ccd58,249 ...

memory error detect XSCF uboot

If you see something like this when you poweron you server: memory error detect 80000008, address 000002d0 data 55555555 -> fbefaaaa capture_data hi fbefaaaa lo deadbeef ecc 1b1b capture_attributes 01113001 address 000002d0 memory error detect 80000008, address 000002d4 data aaaaaaaa -> deadbeef capture_data hi fbefaaaa lo deadbeef ecc 1b1b capture_attributes 01113001 address 000002d4 memXSCF uboot  01070000  (Feb  8 2008 - 11:12:19) XSCF uboot  01070000  (Feb  8 2008 - 11:12:19) SCF board boot factor = 7180     DDR Real size: 256 MB     DDR: 224 MB Than your XSCF card is broked. Replace it with new one. After that it will ask you for enter chassis number - located at front of the server XSCF promt to enter your chasses number ( is a S/N of your server ): Please input the chassis serial number : XXXXXXX 1:PANEL Please select the number : 1 Restoring data from PANEL to XSCF#0. Please wait for se...

SPARC OBP cheatsheet

Boot PROM Basics Boot PROM(programmable read only memory): It is a firmware (also known as the monitor program) provides: 1. basic hardware testing & initialization before booting. 2. contains a user interface that provide access to many important functions. 3. enables the system to boot from wide range of devices. It controls the system operation before the kernel becomes available. It provides a user interface and firmware utility commands known as FORTH command set. These commands include the boot commands, the diagnostic commands & the commands for modifying the default configuration. Command to determine the version of the Open Boot PROM on the system: # /usr/platform/'uname -m'/sbin/prtdiag -v (output omitted) System PROM revisions: ---------------------- OBP 4.16.4 2004/12/18 05:21 Sun Blade 1500 (Silver) OBDIAG 4.16.4.2004/12/18 05:21 # prtconf -v OBP 4.16.4 2004/12/18 05:21 Open Boot Architectures Standards: It is based on IEEE standard #1275, accord...