Generate the CA Certificate -- a one-time operation
Server certificates are used for many purposes, including the https protocol, database connection encryption, etc…
I use one of our servers under Fedora to generate the SSL / TLS certificates used for e.g. the https protocol, but you should be able to use this tutorial for all flavors of Linux. These are self-signed certificates, so the very first step is to create the signing certificate CA (for Certificate Authority), then the individual server certificates (used by e.g. the https protocol) that will be signed by the CA.
The directory /etc/pki/tls is where the certificates are stored in Fedora, but some other distributions use /etc/ssl — which is easier to remember and used throughout all these series of articles — so I advise you to create an alias here (Fedora only):
ln -s /etc/pki/tls ssl
We’ll also use these conventions:
- the suffix .crt is for the public certificate: $CERT.crt
- the suffix .key for the private key: $CERT.key
- (optional) the suffix .pem for the combination of both the public and private parts: $CERT.pem
This is a one-time operation as you will probably use this same CA certificate to sign all you future server certificates. We’ll name our CA certificate certsign.crt.
Generate certsign.key
We’re now generating the private key (do not make this file available to the public!):
openssl req -new -newkey rsa:1024 -nodes -out certsign.csr -keyout certsign.key
The attribute ‘-nodes’ prevents from requested a a password or a paraphrase.
I used these values, it’s up to you to use whatever you like — it’s often a good idea to keep these values very neutral.
O=Public Primary CA
CN=CertSign V3 Certificate CA
Protect the file:
chcon -u system_u certsign.key
Generate certsign.crt
We’re creating this certificate with a validity of 30 years (i.e. 10950 days) with this instruction:
openssl x509 -extensions v3_ca -trustout -signkey ../private/certsign.key -days 10950 -req -in certsign.csr -out certsign.crt
The attribute ‘-extensions v3_ca’ says it is a certificate authority.
We need to make a change in the certificate for it to qualify as a certficate that doesn’t need to be trusted:
nano certsign.crt
certsign.crt is the public side of the certificate and should be made available to everyone to use as a trusted root certificate.
Make it available in your websites to download:
Generate certsign.pem
cat certsign.key ../certs/certsign.crt > certsign.pem
chmod 400 certsign.pem
chcon -u system_u certsign.pem
Generate certsign.p7b
This format is used by Windows rather than its ‘.crt’ counterpart. You should make it available to all users of your self-signed certificates.
openssl crl2pkcs7 -nocrl -certfile certsign.crt -out certsign.p7b -outform DER
Put the certificate certsign.p7b in the store Trusted Root Certification Authorities so that your self-signed certificates will be accepted.
Generate certsign.der
DER is a Microsoft format:
openssl x509 -in certsign.crt -outform DER -out certsign.der
Add new comment