The Openssl software offers all the features that are required to create ourselves some certificate requests and/or self-signed certificates. Note that the Fedora Directory Server does NOT support openssl. It uses the Network Security Services (NSS) library available from the Mozilla Project (http://www.mozilla.org/projects/security/). So we'll use that for the Fedora Directory Server and openssl for all other applications.
First install the software, allthough it might already be present on your system.
apt-get install openssl
Configure /etc/ssl/openssl.cnf
HOME = . RANDFILE = $ENV::HOME/.rnd oid_section = new_oids [ new_oids ] [ ca ] default_ca = CA_default # The default ca section [ CA_default ] dir = ./hannibalCA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options default_days = 730 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = md5 # which md to use. preserve = no # keep passed DN ordering policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert string_mask = nombstr [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = NL countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = NH localityName = Locality Name (eg, city) localityName_default = Amsterdam 0.organizationName = Organization Name (eg, company) 0.organizatioorganizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = NOC commonName = Common Name (eg, YOUR name) commonName_default = CA commonName_max = 64 emailAddress = Email Address emailAddress_default = postmaster@intra.example.com emailAddress_max = 64 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name [ usr_cert ] basicConstraints=CA:FALSE nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints = CA:true [ crl_ext ] authorityKeyIdentifier=keyid:always,issuer:always
Create a Certificate Authority for your site:
cd /usr/lib/ssl/misc
./CA.sh -newca
Or create the Certificate Authority by hand; something like
mkdir /opt/exampleca cd /opt/exampleca mkdir certs private chmod 700 private echo '01' > serial touch index.txt
Remember to adjust openssl.cnf accordingly;
Then create your CA's private key and your CA's public cert
openssl req -x509 -newkey rsa -out cacert.pem -outform PEM
Do a certificate request per necessary certificate. You can modify the CA.sh script in order to prevent having to enter passphrases per certificate (add the option -nodes)
./CA.sh -newreq
Or issue the openssl-command by hand:
openssl req -newkey rsa:1024 -nodes -keyout newkey.pem -keyform PEM -nodes -out newreq.pem -outform PEM
Sign the newly created certificates
./CA.sh -sign
Or issue the openssl-command by hand:
openssl ca -in newreq.pem
Remember to protect the newly generated keys
chmod 600 *req*
