06Certificates - amagerard/TemplateVM GitHub Wiki
HOME
RedHat/TemplateVM.
| 1- Installation | 2- Network | 3- Firewall | 4- Selinux |
|---|---|---|---|
| 5- Logs | 6- Certificates | 7- Mail | 8- PassphraseSSH |
| 9- Sudo | 10- GnomeShell | 11- CloneVM | 12- Volume |
| 13- Troubleshoot |
6. Create a self-signed certificate.
6.1 About SSL Files.
Acronyme Français Anglais
CA Autorité de certification Certificat Authority
KEY Clé privée Private key
CSR Demande de signature Certificat Signing Request
CRT Certificat Certificat
Create a link for the private key folder.
ln -s /etc/pki/tls/private /etc/ssl/private
6.2 Configure a Certification Authority.
6.2.1 RSA type.
6.2.1.1 Create the CA.
Generate private key (RSA type key.
openssl genrsa -out /etc/ssl/private/CA.key 4096
Generate Certificate Signing Request (RSA type key).
openssl req -new -days 1460 -key /etc/ssl/private/CA.key -out /etc/ssl/certs/CA.csr
CountryName (2 letter code) [XX]:FR
State or Province Name (full name) []:France
Locality Name (eg, city) [Default City]:Versailles
Organization Name (eg, company) [Default Company Ltd]:ol26modk
Organizational Unit Name (eg, section) []:office
Common Name (eg, your name or your server's hostname) []:dns.ol26modk.com
Email Address []:[email protected]
Generate SSL certificate With self signed CA (RSA type key).
openssl x509 -req -days 1460 -in /etc/ssl/certs/CA.csr -out /etc/ssl/certs/CA.crt -signkey /etc/ssl/private/CA.key
You get 3 certificates.
/etc/ssl/private/CA.key
/etc/ssl/certs/CA.csr
/etc/ssl/certs/CA.crt
6.2.1.2 Configure for future CSR requests servers.
This configuration is necessary to sign your future requests for certificates of your machines
from the CA which acts as certification authority.
cp /etc/ssl/openssl.cnf /etc/pki/tls/openssl.cnf_backup
cp /etc/ssl/openssl.cnf /etc/pki/tls/openssl.cnf_rsa
mkdir /etc/pki/tls/newcerts
mkdir /etc/pki/tls/ca
mkdir /etc/pki/tls/crl
ln -s /etc/pki/tls/newcerts /etc/ssl
ln -s /etc/pki/tls/ca /etc/ssl
ln -s /etc/pki/tls/crl /etc/ssl
touch /etc/ssl/ca/index.txt
touch /etc/ssl/ca/serial
echo '01' > /etc/ssl/ca/serial
Edit the /etc/ssl/openssl.cnf_rsa file.
These are just the following lines.
vi /etc/pki/tls/openssl.cnf_rsa
# Add or modify.
[ CA_default ]
dir = /etc/ssl
database = $dir/ca/index.txt
certificate = $dir/certs/CA.crt
serial = $dir/ca/serial
crlnumber = $dir/ca/crlnumber
crl = $dir/ca/crl.pem
private_key = $dir/private/CA.key
default_md = sha256
[ req ]
default_md = sha256
6.2.2 ECC type.
6.2.2.1 Create the CA.
ECC stands for Elliptic Curve Cryptography.
Generate private key (ECC type key).
openssl ecparam -genkey -name prime256v1 -out /etc/ssl/private/CA-ecc.key
Generate Certificate Signing Request (ECC type key).
openssl req -new -sha256 -key /etc/ssl/private/CA-ecc.key -nodes -out /etc/ssl/certs/CA-ecc.csr
Generate SSL certificate With self signed CA (ECC type key).
openssl x509 -req -days 1460 -in /etc/ssl/certs/CA-ecc.csr -out /etc/ssl/certs/CA-ecc.crt -signkey /etc/ssl/private/CA-ecc.key
We obtain 3 certificates.
/etc/ssl/private/CA-ecc.key
/etc/ssl/certs/CA-ecc.csr
/etc/ssl/certs/CA-ecc.crt
6.2.2.2 Configure for future CSR requests servers.
This is the same procedure as 6.2.1.2.
If you haven't modified openssl.cnf.
cp /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf_ecc
Or...
If you backed up openssl.cnf_backup.
cp /etc/pki/tls/openssl.cnf_backup /etc/pki/tls/openssl.cnf_ecc
vi /etc/pki/tls/openssl.cnf_ecc
# Add or modify.
[ CA_default ]
dir = /etc/ssl
database = $dir/ca/index.txt
certificate = $dir/certs/CA-ecc.crt
serial = $dir/ca/serial
crlnumber = $dir/ca/crlnumber
crl = $dir/ca/crl.pem
private_key = $dir/private/CA-ecc.key
default_md = sha256
[ req ]
default_md = sha256
6.3 Server Self-signed certificate.
I offer you as an example “srv1” for the name of your machine.
If you need to generate an autosigned type RSA certificate.
cp /etc/pki/tls/openssl.cnf_rsa /etc/pki/tls/openssl.cnf
If you need to generate an autosigned type ECC certificate.
cp /etc/pki/tls/openssl.cnf_ecc /etc/pki/tls/openssl.cnf
6.3.1 RSA type.
Prerequisites:
6.2.1 done.
Reminder 6.2.2.2.
cp /etc/pki/tls/openssl.cnf_rsa /etc/pki/tls/openssl.cnf
Generate private key.
openssl genrsa -out /etc/ssl/private/srv1.key 4096
Generate Certificate Signing Request.
openssl req -new -days 365 -key /etc/ssl/private/srv1.key -out /etc/ssl/certs/srv1.csr
Country Name (2 letter code) [XX]:FR
State or Province Name (full name) []:France
Locality Name (eg, city) [Default City]:Versailles
Organization Name (eg, company) [Default Company Ltd]:ol26modk
Organizational Unit Name (eg, section) []:office
Common Name (eg, your name or your server's hostname) []:srv1.ol26modk.com
Email Address []:[email protected]
Generate SSL certificate with self signed CA.
openssl ca -config /etc/ssl/openssl.cnf -out /etc/ssl/certs/srv1.crt -in /etc/ssl/certs/srv1.csr
You get 3 certificates.
/etc/ssl/private/srv1.key
/etc/ssl/certs/srv1.csr
/etc/ssl/certs/srv1.crt
6.3.2 ECC type.
Create an ECC type CA.
prerequisite:
6.2.2 done.
Reminder 6.2.2.2.
cp /etc/pki/tls/openssl.cnf_ecc /etc/pki/tls/openssl.cnf
Generate private key.
openssl ecparam -genkey -name prime256v1 -out /etc/ssl/private/srv1-ecc.key
Generate Certificate Signing Request.
openssl req -new -sha256 -key /etc/ssl/private/srv1-ecc.key -nodes -out /etc/ssl/certs/srv1-ecc.csr
Country Name (2 letter code) [XX]:FR
State or Province Name (full name) []:France
Locality Name (eg, city) [Default City]:Versailles
Organization Name (eg, company) [Default Company Ltd]:ol26modk
Organizational Unit Name (eg, section) []:office
Common Name (eg, your name or your server's hostname) []:srv2.ol26modk.com
Email Address []:[email protected]
Noticed.
The same dns name of srv1 is not possible because it has already been assigned.
I changed to srv2.ol26modk.com instead.
Generate SSL certificate With self signed CA.
openssl ca -config /etc/ssl/openssl.cnf -out /etc/ssl/certs/srv1-ecc.crt -in /etc/ssl/certs/srv1-ecc.csr
You get 3 certificates.
/etc/ssl/private/srv1-ecc.key
/etc/ssl/certs/srv1-ecc.csr
/etc/ssl/certs/srv1-ecc.crt
6.4 Changing Permissions.
chmod 400 /etc/ssl/private/*
chmod 600 /etc/ssl/certs/*
chmod 700 /etc/ssl