Posts Tagged ‘necessary directory’

Create your own Certificate Authority using OpenSSL on CentOS

OpenSSL is an implementation of the SSL and TLS protocols. It is open-source and is the de-facto standard toolkit for Secure Sockets Layer (SSL) and Transport Layer Security (TLS). It is written in C and also contains a general purpose cryptography library. Being written in C allows for various wrappers for other programming languages to exist.

Installing OpenSSL on CentOS is actually quite easy. All you have to do is enter the following command:

yum install openssl

Note: Depending on your installation configurations OpenSSL may already be installed on your system.

Note: This tutorial uses OpenSSL 1.0.0.

After we install OpenSSL, we need to setup our own Certificate Authority. To do so we first navigate to /etc/pki/CA:

cd /etc/pki/CA

Now we will make a directory where our certificates will be stored:

mkdir certs

Another necessary directory is for the revocation list:

mkdir crl

Note: crl stands for Certificate Revocation List.

Now we must create a directory for storing the unencrypted certificates:

mkdir newcerts

Next, create an empty file index.txt (you may use touch). The index.txt file is the database for certificates. Additionally, create two files containing the next serial number for a certificate and the next serial number for the revocation list:

echo ’01’ > serial

echo ’01’ > crlnumber

Almost ready. Copy the standard openssl config file to you current directory:

cp /etc/pki/tls/openssl.cnf openssl.cnf

And edit the config file (the one stored at /etc/pki/CA/openssl.cnf):

Change this line:

dir             = /etc/pki/CA           # Where everything is kept


dir             = .           # Where everything is kept

Change this line:

certificate     = $dir/cacert.pem       # The CA certificate


certificate     = $dir/certs/ca.crt       # The CA certificate

And this line:

private_key     = $dir/private/cakey.pem# The private key


private_key     = $dir/private/ca.key # The private key

And last, but certainly not least, make /etc/pki/CA/openssl.cnf readable only for you:

chmod 0600 openssl.cnf

After that, the process of creating a certificate authority is actually quite easy. Navigate to /etc/pki/CA:

cd /etc/pki/CA

Enter the following command:

openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout private/ca.key -out certs/ca.crt -days 3650

if you want to create a CA valid for 10 years. You will be prompted:

Generating a 2048 bit RSA private key
writing new private key to 'private/ca.key'
Enter PEM pass phrase:<password>
Verifying - Enter PEM pass phrase:<password>
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:<country>
State or Province Name (full name) []:<state>
Locality Name (eg, city) [Default City]:<city>
Organization Name (eg, company) [Default Company Ltd]:<organization>
Organizational Unit Name (eg, section) []:<department>
Common Name (eg, your name or your server's hostname) []:<common_name>
Email Address []:<email>

Where common_name is usually formed like ca.<your_domain>, and <email> is usually ca@<your_domain>

Finally, don’t forget to restrict the access to your private key:

chmod 0400 private/ca.key

For more on OpenSSL checkout how to create and sign certificates.

VN:F [1.9.18_1163]
Rating: 10.0/10 (3 votes cast)