The Certificate Authority (CA) is used to verify the authenticity of a certificate. Start by installing openssl package:
apt-get install openssl
Create Private Certificate Authority
- OpenSSL (version 0.9.8) is installed to path /usr/lib/ssl. The CA.sh script is not in search path, we are going to add it for just current session.
export PATH=$PATH:/usr/lib/ssl/misc
- Let customize a bit configuration file (/usr/lib/ssl/openssl.cnf) that is used for certificate creation, but first make a backup copy. Make the following changes:
...
[ req ]
default_bits = 2048
...
[ req_distinguished_name ]
countryName_default = UA
stateOrProvinceName_default = LV
0.organizationName_default = XYZ Co
...
- Create a directory for all certificates (it can be any directory, we will create in home):
mkdir ~/ca && cd ~/ca
- Answer few questions (hit enter to create a new when prompted for CA filename):
ldap1:~/ca# CA.sh -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 2048 bit RSA private key
............+++
........+++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase: **************
Verifying - Enter PEM pass phrase: **************
...
Country Name (2 letter code) [UA]:
State or Province Name (full name) [LV]:
Locality Name (eg, city) []:Lviv
Organization Name (eg, company) [XYZ Co]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:XYZ Root CA
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem: *****
Check that the request matches the signature
Signature ok
Certificate Details:
...
Write out database with 1 new entries
Data Base Updated
- Secure Certificate Authority:
chmod -R go-rwx ~/ca
Your Certificate Authority file is
cacert.pem (it is located in
~/ca/demoCA directory).
Posts
No comments :
Post a Comment