Difference between revisions of "How to create SSL CA Cert Server"
(→Notes:) |
|||
| (12 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
| − | [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.2/html/Developer_Guide/Creating_an_SSL_Certificate.html CA Issue Source] | + | *[https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.2/html/Developer_Guide/Creating_an_SSL_Certificate.html CA Issue Source] |
| − | [http://superuser.com/questions/126121/how-to-create-my-own-certificate-chain/418429 Generate SSl Chain] | + | *[http://superuser.com/questions/126121/how-to-create-my-own-certificate-chain/418429 Generate SSl Chain] |
| + | *[https://www.madboa.com/geek/openssl/ OpeenSSL Commandline Guide] | ||
| + | *[https://nrocco.github.io/2013/01/25/self-signed-ssl-certificate-chains.html Chain SSL Guide] | ||
OpenSSL needs to have a CA directory created in order to sign crt requests. Use the following steps to create a CA server, then generate/sign keys: | OpenSSL needs to have a CA directory created in order to sign crt requests. Use the following steps to create a CA server, then generate/sign keys: | ||
| Line 15: | Line 17: | ||
Now to generate and sign a cert: | Now to generate and sign a cert: | ||
| + | |||
| + | openssl genrsa -out client.key 1024 | ||
| + | openssl req -new -key client.key -out client.csr | ||
| + | openssl ca -in client.csr -out client.cer | ||
| + | |||
| + | == Revoking SSL Cert: == | ||
| + | In the default configuration, openssl will keep copies of all signed certificates in /etc/pki/CA/newcerts, named by its index number. So grep /etc/pki/index.txt to obtain the serial number of the key to be revoked, e.g. 1000, then execute the following command: | ||
| + | |||
| + | cat /etc/pki/CA/index.txt | ||
| + | |||
| + | The following line will appear: | ||
| + | V 170303223153Z 1000 unknown /C=CA/ST=British Columbia/O=HyperSecurity Solutions/OU=Mail/CN=mail.hypersecuresolutions.com/emailAddress=info@hypersecuresolutions.com | ||
| + | |||
| + | Then run the following to revoke the cert: | ||
| + | openssl ca -revoke /etc/pki/CA/newcerts/1000.pem | ||
| + | |||
| + | == Testing == | ||
| + | openssl s_client -connect domainname:993 | ||
| + | |||
| + | Assuming your certificates are in PEM format, you can do: | ||
| + | openssl verify cert.pem | ||
| + | |||
| + | If your "ca-bundle" is a file containing additional intermediate certificates in PEM format: | ||
| + | openssl verify -untrusted ca-bundle cert.pem | ||
| + | |||
| + | If your openssl isn't set up to automatically use an installed set of root certificates (e.g. in /etc/ssl/certs), then you can use -CApath or -CAfile to specify the CA. | ||
| + | |||
| + | |||
| + | == Notes: == | ||
| + | |||
| + | Dovecot: | ||
| + | openssl req -new -x509 -days 1000 -nodes -out "/etc/ssl/certs/dovecot.pem" -keyout "/etc/ssl/private/dovecot.pem" | ||
| + | |||
| + | Dovecot self generated keys: | ||
| + | /usr/libexec/dovecot/mkcert.sh | ||
Latest revision as of 09:13, 5 March 2016
OpenSSL needs to have a CA directory created in order to sign crt requests. Use the following steps to create a CA server, then generate/sign keys:
Run the following to create a CA directory:
cd /etc/pki/ mv CA CA.original CA.pl -newca mv demoCA CA
Fix CA issues:
touch /etc/pki/CA/index.txt echo '1000' > /etc/pki/CA/serial
Now to generate and sign a cert:
openssl genrsa -out client.key 1024 openssl req -new -key client.key -out client.csr openssl ca -in client.csr -out client.cer
Revoking SSL Cert:
In the default configuration, openssl will keep copies of all signed certificates in /etc/pki/CA/newcerts, named by its index number. So grep /etc/pki/index.txt to obtain the serial number of the key to be revoked, e.g. 1000, then execute the following command:
cat /etc/pki/CA/index.txt
The following line will appear:
V 170303223153Z 1000 unknown /C=CA/ST=British Columbia/O=HyperSecurity Solutions/OU=Mail/CN=mail.hypersecuresolutions.com/emailAddress=info@hypersecuresolutions.com
Then run the following to revoke the cert:
openssl ca -revoke /etc/pki/CA/newcerts/1000.pem
Testing
openssl s_client -connect domainname:993
Assuming your certificates are in PEM format, you can do:
openssl verify cert.pem
If your "ca-bundle" is a file containing additional intermediate certificates in PEM format:
openssl verify -untrusted ca-bundle cert.pem
If your openssl isn't set up to automatically use an installed set of root certificates (e.g. in /etc/ssl/certs), then you can use -CApath or -CAfile to specify the CA.
Notes:
Dovecot:
openssl req -new -x509 -days 1000 -nodes -out "/etc/ssl/certs/dovecot.pem" -keyout "/etc/ssl/private/dovecot.pem"
Dovecot self generated keys:
/usr/libexec/dovecot/mkcert.sh
