title: My Certificate Authority link: https://onemoretech.wordpress.com/2007/05/28/my-certificate-authority/ author: lembobro description: post_id: 707 created: 2007/05/28 19:00:00 created_gmt: 2007/05/28 19:00:00 comment_status: open post_name: my-certificate-authority status: publish post_type: post

My Certificate Authority

In Red Hat/CentOS 5 the developers finally adopted the convention in later Fedora releases of moving /usr/share/ssl to /etc/pki/tls. For at least 2 years I’ve been making by own /etc/ssl/CA and /etc/ssl/certs to store my CA root and host-wide certificates. With the recent change, I’m now going to use /etc/pki/CA and /etc/pki/tls/certs for this purpose.

To make this as easy as possible, I edited /etc/pki/tls/openssl.cnf to set dir to “/etc/pki/CA” and default_days to “1825” (so my certs expire in 5 years instead of 1). I also filled out some of the other default info like countryName, etc. to avoid repetitive typing.

For some unknown reason, I really like using the little CA script that’s been standard with openssl distributions, which is now /etc/pki/tls/misc/CA.

To create my CA, I just issued a /etc/pki/tls/misc/CA -newca and answered the questions. My passphrase was a pretty long string I can remmember, and I set the commonName to the something like “My Company Authority” (this value is what gets dispayed as the name of your authority in Mozilla and other browsers, so you want to make it obvious).

Once I had my new CA in place, it was time to start cutting some certificates. To do this I first changed to the directory where I wanted to store my certificates and keys, /etc/pki/tls/certs.

This is a two step process, first make a certificate request:

/etc/pki/tls/misc/CA -newreq

In answering the questions, for commonName I give the hostname for the machine or virtual host that will use the cert. I also gave a short password (like, “secret”) for the certificate key (you’ll see why a little further on). This will create two new files, “newreq.pem” (the request file) and “newkey.pem” (a key file).

Next, sign the the certificate:

/etc/pki/tls/CA -sign

Which creates the certificate file, by default called “newcert.pem”.

Most Open Source software doesn’t provide a way to feed the key’s password during automatic startup. When starting Apache or OpenLDAP manually you’ll be prompted for that password, which the server needs to decrypt the key before starting up. To get around this, a decrypted version of the key can be used.

To create a decrypted version of the key, all you have to do is issue a:

openssl rsa -in newkey.pem -out hostkey.pem

Which will decrypt the “newkey.pem” made by CA and create a new, decrypted, version called “hostkey.pem”. When configuring software that uses the certificate and key files, use the decrypted key file to allow services to start up without prompting for a key password.

Copyright 2004-2019 Phil Lembo