Certificate Authority

A certificate authority is a trusted server that signs web certificates to pass on that trust to web servers for limited periods of time. CA can be automated (and should be).

Configuring a Certificate Authority

Requirements

• Make sure SSHD is running (we will need it to scp files)

• Update firewall (local and interface based) to always allow port 22 (SSH/SCP)

• Internet connection is a must

• Ensure there is a named user with administrative privileges (so we can SCP to and from them)

• A helpful page for understanding rich rules on a local firewall here

Configuration

1. Install OpenSSL

sudo yum install openssl (possibly already installed on linux systems)

2. File system prep

cd /etc/pki/CA touch index.txt (CA uses to keep track of certs) echo 1000 > serial (used to assign serial #’s to certs)

3. Create your CA's private key - use the filenames as indicated (you may need to create certain pathways and directories)

openssl genrsa -des3 -out private/cakey.pem 2048

4. Create your CA certificate

openssl req -new -x509 -days 365 -key private/cakey.pem -out cacert.pem

Make sure you remember what you put in for the prompts after this command, you will need it later

5. ON THE WEB SERVER Generate a private key for the web server and a certificate request file

openssl req -newkey rsa:2048 -keyout websrv.key -out websrv.csr

Make sure the entries match the previous prompts

6. SCP the csr file to the Certificate Authority

SCP commands here

7. On the Certificate Authority Server, sign the certificate

openssl ca -out websrv.crt -infiles websrv.csr

8. SCP the websrv.crt file back to the web server