SEC‐260 CA Prep - rosepheobieshea/SYS-255-Tech-Journal GitHub Wiki

Step One CA Pre-reqs
hostname ca-rose
systemctl status sshd
firewall-cmd --add-port=22/tcp --permanent
firewall-cmd --reload

Step 1.5 Webserver Pre-reqs
Install Apache
dnf install httpd
Enable the service and run on startup
systemctl enable httpd
systemctl start httpd
Allow HTTP and HTTPs communication
firewall-cmd --add-service=https --permanent
firewall-cmd --add-port=80/tcp --permanent
firewall-cmd --reload

Step Two Building the CA
mkdir to put shit in
mkdir ~/myCA
cd ~/myCA
gen private key for CA
openssl genrsa -out ca.key 4096
create root certificate
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt -subj "/CN=Joyce310/O=Joyce310/OU=Joyce310"

Step Three Web Server Time
mkdir to put shit in
mkdir ~/webserver_certs
cd ~/webserver_certs

gen private key for web server
openssl genrsa -out websrv.key 2048

create csr for web server
openssl req -new -key websrv.key -out websrv.csr -subj "/CN=Joyce310/O=Joyce310/OU=Joyce310"

Copy .csr from webserver to CA
scp websrv.csr [email protected]:/root/myCA

Step Four Signing the Certificate
Sign the csr
openssl x509 -req -in websrv.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out websrv.crt -days 3650 -sha256

Step Five Return Cert
Copy file back to webserver
scp websrv.crt [email protected]:/root/webserver_certs

Step Six Configuring HTTPS on webserver
Copy certificates to appropriate directories
cp websrv.crt /etc/pki/tls/certs \ cp websrv.key /etc/pki/tls/private
Install mod_ssl
dnf install mod_ssl
Update /etc/httpd/conf.d/ssl.conf
vi /etc/httpd/conf.d/ssl/conf
Make sure SSLCertificateFile matches the path for your certificate file
Make sure SSLCertificateKeyFile matches the path for your key file
Reload firewall
firewall-cmd --reload
Reload httpd
systemctl reload httpd