Labeled NFS/Demo/Manual/LDAP/CA
Contents
Openssl SSL Certificate
The openssl package provides the necessary scripts for creating certificates.
- This include a certificate that can be used as a Certificate Authority (CA) to then sign other created certificates
Preparation
edit /etc/pki/tls/openssl.cnf
Change the following lines to something appropriate for the certificate that is going to be created. Changing this file isn't required as the script to create certificates will ask for the following data. But it can be easier to edit the data in a file and then just run the script and accept the defaults.
[ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Maryland localityName = Locality Name (eg, city) localityName_default = Columbia 0.organizationName = Organization Name (eg, company) 0.organizationName_default = setest # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = organizationalUnitName = Organizational Unit Name (eg, section) # organizationalUnitName_default = commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 # SET-ex3 = SET extension number 3
Creating the Certificate Authority (CA)
Options
By default, the CA expires in three years. The default time value can be changed by editing CA script in /etc/pki/tls/misc/CA and changing CADAYS to the desired value.
DAYS="-days 365" CADAYS="-days 3650"
The following step creates the Certificate Authority. Once the CA is created any number of child certificates (i.e. certificates signed by the CA and used by servers and possibly clients) can be created. The CA is the critical piece in the chain of trust for all the certificates signed by it and it is difficult to replace if the password is lost or broken (all the machines using it must be re-configured). The following should be observed:
- Create a secure password.
- Keep track of the password and who knows it.
[root@sefos /etc/pki/tls/misc]# bash ./CA -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key ...................................................++++++ ..++++++ writing new private key to '../../CA/private/./cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [California]: Locality Name (eg, city) [Columbia]: Organization Name (eg, company) [setest]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:sefos.setest.com Email Address []:admin@setest.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for ../../CA/private/./cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 0 (0x0) Validity Not Before: Jun 16 23:17:27 2008 GMT Not After : Jun 14 23:17:27 2018 GMT Subject: countryName = US stateOrProvinceName = Maryland organizationName = setest commonName = setest.com emailAddress = admin@setest.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 58:27:5B:5F:FA:53:F6:ED:BA:F1:28:F5:37:9A:F3:9B:4C:9B:61:FB X509v3 Authority Key Identifier: keyid:58:27:5B:5F:FA:53:F6:ED:BA:F1:28:F5:37:9A:F3:9B:4C:9B:61:FB Certificate is to be certified until Jun 14 23:17:27 2018 GMT (3650 days) Write out database with 1 new entries Data Base Updated
Create a Server Certificate
Now we move on to create a certificate for a server. Openssl is called directly in order to not require a password with the certificate. The 'CA' script can create a certificate using the '-newreq' option but it would require a password.
- The fully qualified name of the server is required for the common name.
- This fully qualified name should resolve properly in DNS.
[root@sefos /etc/pki/tls/misc]# openssl req -new -nodes -keyout newreq.pem -out newreq.pem Generating a 1024 bit RSA private key .............................++++++ ................++++++ writing new private key to 'newreq.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) []: Locality Name (eg, city) []: Organization Name (eg, company) []: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:sefos.setest.com Email Address []:admin@setest.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
The certificate is created and resides in /etc/pki/tls/newreq.pem.
Sign the Server Certificate
[root@sefos /etc/pki/tls/misc]# bash ./CA -sign Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for ../../CA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Jun 16 23:29:08 2008 GMT Not After : Jun 16 23:29:08 2009 GMT Subject: countryName = US stateOrProvinceName = Maryland localityName = Columbia organizationName = setest commonName = sefos.setest.com emailAddress = admin@setest.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 4E:A8:58:17:90:8D:2C:A6:C2:B4:1E:0A:0E:FD:BE:32:E8:89:12:D3 X509v3 Authority Key Identifier: keyid:58:27:5B:5F:FA:53:F6:ED:BA:F1:28:F5:37:9A:F3:9B:4C:9B:61:FB Certificate is to be certified until Jun 16 23:29:08 2009 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=California, O=mikesoffice, CN=sefos.setest.com/emailAddress=admin@setest.com Validity Not Before: Jun 16 23:29:08 2008 GMT Not After : Jun 16 23:29:08 2009 GMT Subject: C=US, ST=Maryland, L=Columbia, O=setest, CN=sefos.setest.com/emailAddress=admin@setest.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:c6:0b:49:11:65:52:fe:df:a8:af:fd:a3:3e:5a: 67:78:39:ad:e8:38:ee:05:36:64:19:ed:47:79:0b: 61:2a:03:04:d9:97:9f:09:bd:df:1e:49:16:d1:6a: d1:5e:ea:96:a5:c7:ad:d7:ba:c2:de:5d:78:a9:10: 12:24:6d:04:7e:ab:a8:20:1c:a0:56:a7:a3:48:fe: 4d:4d:9c:d4:22:05:29:36:7c:f5:2c:ce:fb:8c:86: 50:77:d3:3f:c7:19:25:81:db:e4:0f:08:f7:47:a0: e5:a0:4c:8e:be:61:91:82:b6:d4:36:33:11:49:a9: 90:f0:0f:dc:07:8d:7b:e8:99 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 4E:A8:58:17:90:8D:2C:A6:C2:B4:1E:0A:0E:FD:BE:32:E8:89:12:D3 X509v3 Authority Key Identifier: keyid:58:27:5B:5F:FA:53:F6:ED:BA:F1:28:F5:37:9A:F3:9B:4C:9B:61:FB Signature Algorithm: sha1WithRSAEncryption 69:65:a5:26:8e:9a:e0:1c:4f:7b:b7:57:72:89:9e:16:3d:07: 18:95:af:c0:5d:b5:e4:56:70:b5:4c:05:80:82:3a:59:f4:82: 9c:87:16:4a:01:3c:a1:a2:88:39:4a:55:9b:92:9e:27:d9:ac: 51:16:8f:72:7b:14:92:37:24:3f:70:fd:28:b0:b3:28:73:b8: 7d:ee:86:42:dd:aa:6f:12:c9:2e:20:7c:10:be:5e:f8:c0:5d: 1e:6a:d5:4f:79:b9:2f:b6:ff:ac:45:ed:c3:a3:3c:d5:b2:c5: b6:21:fa:3b:8b:de:74:f4:09:a4:57:d2:2d:1a:32:06:04:38: 63:17 -----BEGIN CERTIFICATE----- MIIDATCCAmqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB+MQswCQYDVQQGEwJVUzET MBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEChMLbWlrZXNvZmZpY2UxHjAcBgNV BAMTFXNlZm9zLm1pa2Vzb2ZmaWNlLmNvbTEkMCIGCSqGSIb3DQEJARYVYWRtaW5A bWlrZXNvZmZpY2UuY29tMB4XDTA4MDYxNjIzMjkwOFoXDTA5MDYxNjIzMjkwOFow gZExCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhS aWNobW9uZDEUMBIGA1UEChMLbWlrZXNvZmZpY2UxHjAcBgNVBAMTFXNlZm9zLm1p a2Vzb2ZmaWNlLmNvbTEkMCIGCSqGSIb3DQEJARYVYWRtaW5AbWlrZXNvZmZpY2Uu Y29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGC0kRZVL+36iv/aM+Wmd4 Oa3oOO4FNmQZ7Ud5C2EqAwTZl58Jvd8eSRbRatFe6palx63XusLeXXipEBIkbQR+ q6ggHKBWp6NI/k1NnNQiBSk2fPUszvuMhlB30z/HGSWB2+QPCPdHoOWgTI6+YZGC ttQ2MxFJqZDwD9wHjXvomQIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIB DQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUTqhY F5CNLKbCtB4KDv2+MuiJEtMwHwYDVR0jBBgwFoAUWCdbX/pT9u268Sj1N5rzm0yb YfswDQYJKoZIhvcNAQEFBQADgYEAaWWlJo6a4BxPe7dXcomeFj0HGJWvwF215FZw tUwFgII6WfSCnIcWSgE8oaKIOUpVm5KeJ9msURaPcnsUkjckP3D9KLCzKHO4fe6G Qt2qbxLJLiB8EL5e+MBdHmrVT3m5L7b/rEXtw6M81bLFtiH6O4vedPQJpFfSLRoy BgQ4Yxc= -----END CERTIFICATE----- Signed certificate is in newcert.pem
Certificates
- The CA certificate now resides in /etc/pki/CA/cacert.pem.
- A server certificate resides in /etc/pki/tls/misc/newcert.pem