To create the private Certificate Authority we could make one as below..
How the whole thing works
1.First create Certificate Authority with needed credentials as per needed certificate details.To sign a certificate signing request the authority must have a certificate with same credentials as that of certificate signing request . so after configuring /etc/pki/tls/openssl.cnf with needed credential we need to create a private key and a certificate in the certificate authority
2.create the private key and certificate signing request at client side as per needed credential.
3.scp the certificate signing request csr from the client to the server which is the certificate authority and sign the csr with the certificate authority and get the certificate and send the certificate back to client
Signing of the certificate will be successful only if the the credentials in the certificate authorities certificate and that in certificate signing request matches
Packages needed are openssl*
1.
In server where we need to create the certificate authority
cd /etc/pki/tls/openssl.cnf
In that file we need to change the following as per out need
#######
dir = /etc/pki/CA ----------------------> root directory of Certificate authority
certificate = $dir/my-ca.crt ------------------> Certificate of the CA which is used to check against the csr
crl = $dir/crl.pem ------------------> certificate revocation list if the certificate is compromised
private_key = $dir/private/my-ca.key -----------> private key of Certificate authority used to create the CA's certificate
#######Basic Credentials that should be same in both csr and the certificate in CA
stateOrProvinceName_default = North Carolina
localityName_default = Raleigh
0.organizationName_default = Example, Inc.
#######There are more credentials which are used in certificate creation
#######Make the needed directories in CA
mkdir /etc/pki/CA/{cert,crl,newcerts}
touch /etc/pki/CA/index.txt
echo 01 > /etc/pki/CA/serial
NOW Creating the CA's private key and CERTIFICATE in corresponding places
cd /etc/pki/CA
openssl genrsa -out private/my-ca.key -des3 2048
openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt
2.
Creating privet key and Certificate Signing Request at client side
Creating private key
openssl genrsa -out private.key -des3 2048
Creating certificate sigining request with private key
openssl req -new -key private.key -out certificate.csr
here you will be asked for needed credentials ..Remember if the credentials are different in csr and ca the signing will be failure
3
With certificate.csr in Certificate Authority server we can sign the certificate
openssl ca -in certificatecsr.csr -out certificate.crt
here the ca implies that it will use the configuration from /etc/pki/tls/openssl.cnf to sign the signing request.
Or the other way is to self sign as follow after creating the private key and csr we could do self signing as follows
openssl x509 -req -days 365 -in certificate.csr -signkey private.key -out certificate.crt
No comments:
Post a Comment