2. Creating a Certificate Authority
Prev   Next

2. Creating a Certificate Authority

  1. Create directory structure: 

      # mkdir /etc/certificateAuthority
  # cd /etc/certificateAuthority

  # mkdir certs
  # mkdir private
  # chmod 700 private

  # echo '01' > serial
  # touch index.txt

  2. Edit /etc/ssl/openssl.cnf:

    1. Change the following properties in the [CA_default] section: 

         dir             = /etc/certificateAuthority
   new_certs_dir   = $dir/certs
   copy_extensions = copy                        # Only copy requested
                                                 #  extensions that are not
                                                 #  defined in [usr_cert]
   default_days    = 1825                        # certification lasts 5 years
   policy          = policy_anything
   # Set display options
   nameopt         = ca_default
   certopt         = ca_default

    2. Delete the following properties in the [CA_default] section: 

         certs =
   crl_dir =
   crl =

    3. Change the following properties in the [req_distinguished_name] section as appropriate: 

         countryName_default         = NL
   stateOrProvinceName_default = Noord Holland
   localityName_default        = Amsterdam
   0.organizationName_default  = joe.org
   commonName_default          = J. Bloggs
   emailAddress_default        = ca.admin@joe.org

    4. Change the following properties in the [v3_ca] section: 

         keyUsage = cRLSign, keyCertSign
   nsCertType = sslCA, emailCA, objCA

  3. Create the certificate authority key: 

      # openssl genrsa -des3 -out private/cakey.pem 2048
    Remember the pass phrase! Better yet, since you won't be needing it often (key signing is probably not an every-day activity for you), write it down somewhere safe.

  4. Create the certificate authority's (self-signed) certificate: 

      # openssl req -new -x509 -key private/cakey.pem -days 1825 -out cacert.pem -outform PEM
  # cp cacert.pem /etc/ssl/certs

  5. Create a certificate request configuration template:

    1.   # cp /etc/ssl/openssl.cnf /etc/ssl/openssl_server_req.template

    2. Remove the following sections:

      • [ca]

      • [CA_default]

      • [policy_match]

      • [policy_anything]

      • [usr_cert]

      • [v3_ca]

      • [crl_ext]

    3. Change the following properties in the [v3_req] section: 

        nsCertType     = server
  subjectAltName = @altdns

    4. Change the following properties in the [req] section: 

        default_bits       = 2048
  default_keyfile    = /etc/ssl/private/SERVER_ID_key.pem
  encrypt_key        = no
  prompt             = no
  #  x509_extensions = v3_ca
  req_extensions     = v3_req

    5. Change the following properties in the [req_distinguished_name] section: 

        countryName         = NL
  stateOrProvinceName = Noord Holland
  localityName        = Amsterdam
  organizationName    = joe.org
  commonName          = SERVER_NAME
  emailAddress        = SERVER_ID.admin@joe.org

    6. Comment out the following properties in the [req_attributes] section: 

        # challengePassword = Not needed
  # unstructuredName  =

    7. Add a section [altdns] with the following properties: 

        DNS.1 = ALT_SERVER_NAME_1
  DNS.2 = ALT_SERVER_NAME_2
  DNS.3 = ALT_SERVER_NAME_3

Prev Up Next
OpenSSL Certificate Authority notes Home 3. Creating a server certificate