SSL Certs

From UGCS
Jump to: navigation, search

Any CA should exist in /opt/CA on the head server for which it authenticates.

To create a CA, run the following as root 

#Create directory structure
mkdir -p /opt/CA/{certs,crl,newcerts,private,reqs}

#Initialize CA Infrastructure
echo "01" > /opt/CA/serial
touch index.txt

#Fix the configuration file by resetting CA dir
#TODO: Make this  work generally, i.e. reset options, rather than sed magic that may change in future revisions
sed s/'\.\/demoCA'/'\/opt\/CA'/ /etc/ssl/openssl.cnf > /etc/ssl/openssl.cnf

#Make the signing certificate
openssl req -new -x509 -keyout /opt/CA/private/cakey.pem -out cacert.pem

Heavily recommend verifying permissions. Regular user shouldn't even be able to navigate through this directory.

To issue a certificate once a CA exists, run the following as someone with permissions for CA, replacing ldap with the name of the service you're certifying. 

SERVICE="ldap"

#Generate signature request
openssl req -nodes -new -x509 -keyout /opt/CA/reqs/$(SERVICE)_req.pem -out /opt/CA/reqs/$(SERVICE)_req.pem

#Sign it
openssl x509 -x509toreq -in /opt/CA/reqs/$(SERVICE)_req.pem -signkey /opt/CA/reqs/$(SERVICE)_req.pem -out /opt/CA/tmp.pem
openssl ca -policy policy_anything -out /opt/CA/certs/$(SERVICE)_cert.pem -infiles /opt/CA/tmp.pem

#Clean up
rm -rf /tmp/tmp.pem
Retrieved from "http://www.ugcs.caltech.edu/wiki/SSL_Certs"
Personal tools