Certificate Authorities - 5huckle/OFFICIALTECHJOURNAL GitHub Wiki
Certificate Authority
A certificate authority is a trusted server that signs web certificates to pass on that trust to web servers for limited periods of time. CA can be automated (and should be).
Configuring a Certificate Authority
Requirements
-
Make sure SSHD is running (we will need it to scp files)
-
Update firewall (local and interface based) to always allow port 22 (SSH/SCP)
-
Internet connection is a must
-
Ensure there is a named user with administrative privileges (so we can SCP to and from them)
-
A helpful page for understanding rich rules on a local firewall here
Configuration
- Install OpenSSL
sudo yum install openssl (possibly already installed on linux systems)
- File system prep
cd /etc/pki/CA touch index.txt (CA uses to keep track of certs) echo 1000 > serial (used to assign serial #’s to certs)
- Create your CA's private key - use the filenames as indicated (you may need to create certain pathways and directories)
openssl genrsa -des3 -out private/cakey.pem 2048
- Create your CA certificate
openssl req -new -x509 -days 365 -key private/cakey.pem -out cacert.pem
Make sure you remember what you put in for the prompts after this command, you will need it later
- ON THE WEB SERVER Generate a private key for the web server and a certificate request file
openssl req -newkey rsa:2048 -keyout websrv.key -out websrv.csr
Make sure the entries match the previous prompts
- SCP the csr file to the Certificate Authority
- On the Certificate Authority Server, sign the certificate
openssl ca -out websrv.crt -infiles websrv.csr
- SCP the websrv.crt file back to the web server