Difference between revisions of "How to create SSL CA Cert Server"

From HyperSecurity Wiki
Jump to: navigation, search
(Testing)
(Notes:)
 
(4 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 +
*[https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.2/html/Developer_Guide/Creating_an_SSL_Certificate.html CA Issue Source]
 +
*[http://superuser.com/questions/126121/how-to-create-my-own-certificate-chain/418429 Generate SSl Chain]
 +
*[https://www.madboa.com/geek/openssl/ OpeenSSL Commandline Guide]
 +
*[https://nrocco.github.io/2013/01/25/self-signed-ssl-certificate-chains.html Chain SSL Guide]
 +
 
OpenSSL needs to have a CA directory created in order to sign crt requests. Use the following steps to create a CA server, then generate/sign keys:
 
OpenSSL needs to have a CA directory created in order to sign crt requests. Use the following steps to create a CA server, then generate/sign keys:
  
Line 16: Line 21:
 
  openssl req -new -key client.key -out client.csr
 
  openssl req -new -key client.key -out client.csr
 
  openssl ca -in client.csr -out client.cer
 
  openssl ca -in client.csr -out client.cer
 
*[https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.2/html/Developer_Guide/Creating_an_SSL_Certificate.html CA Issue Source]
 
*[http://superuser.com/questions/126121/how-to-create-my-own-certificate-chain/418429 Generate SSl Chain]
 
  
 
== Revoking SSL Cert: ==
 
== Revoking SSL Cert: ==
Line 33: Line 35:
 
== Testing ==
 
== Testing ==
 
  openssl s_client -connect domainname:993
 
  openssl s_client -connect domainname:993
 +
 +
Assuming your certificates are in PEM format, you can do:
 +
openssl verify cert.pem
 +
 +
If your "ca-bundle" is a file containing additional intermediate certificates in PEM format:
 +
openssl verify -untrusted ca-bundle cert.pem
 +
 +
If your openssl isn't set up to automatically use an installed set of root certificates (e.g. in /etc/ssl/certs), then you can use -CApath or -CAfile to specify the CA.
 +
 +
 +
== Notes: ==
 +
 +
Dovecot:
 +
openssl req -new -x509 -days 1000 -nodes -out "/etc/ssl/certs/dovecot.pem" -keyout "/etc/ssl/private/dovecot.pem"
 +
 +
Dovecot self generated keys:
 +
/usr/libexec/dovecot/mkcert.sh

Latest revision as of 09:13, 5 March 2016

OpenSSL needs to have a CA directory created in order to sign crt requests. Use the following steps to create a CA server, then generate/sign keys:

Run the following to create a CA directory:

cd /etc/pki/
mv CA CA.original
CA.pl -newca
mv demoCA CA

Fix CA issues:

touch /etc/pki/CA/index.txt
echo '1000' > /etc/pki/CA/serial

Now to generate and sign a cert:

openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
openssl ca -in client.csr -out client.cer

Revoking SSL Cert:

In the default configuration, openssl will keep copies of all signed certificates in /etc/pki/CA/newcerts, named by its index number. So grep /etc/pki/index.txt to obtain the serial number of the key to be revoked, e.g. 1000, then execute the following command:

cat /etc/pki/CA/index.txt

The following line will appear:

V       170303223153Z           1000    unknown /C=CA/ST=British Columbia/O=HyperSecurity Solutions/OU=Mail/CN=mail.hypersecuresolutions.com/emailAddress=info@hypersecuresolutions.com

Then run the following to revoke the cert:

 openssl ca -revoke /etc/pki/CA/newcerts/1000.pem

Testing

openssl s_client -connect domainname:993

Assuming your certificates are in PEM format, you can do:

openssl verify cert.pem

If your "ca-bundle" is a file containing additional intermediate certificates in PEM format:

openssl verify -untrusted ca-bundle cert.pem

If your openssl isn't set up to automatically use an installed set of root certificates (e.g. in /etc/ssl/certs), then you can use -CApath or -CAfile to specify the CA.


Notes:

Dovecot:

openssl req -new -x509 -days 1000 -nodes -out "/etc/ssl/certs/dovecot.pem" -keyout "/etc/ssl/private/dovecot.pem"

Dovecot self generated keys:

/usr/libexec/dovecot/mkcert.sh