Navigation Menu

Background

Recently, I discovered how to use the openssl provided CA script to create a certificate authority and self signed certificates. Traditionally, I had ran all fo the commands manually. When using the CA script it is critical to understand the underlying security concepts.

Certificate Authority

Openssl has infrstructure to create a long lived Certificate Authority

 

Certificates signed are tracked. Index file is database for certs in ”’newcerts”’

 

Scripts which come with the openssl package on RHEL can be used to build a certificate authority, complete signing requests, signings, verification

 

 

Basics

Configure a Certificate Authority (Openssl Infrastructure)

Setup openssl.conf file

 

Defaults

 

Customizations

 

Create the certificate authority. Remember to put in a Common Name, or the Certificate Authority will not be built correctly and will be unusable.

 

Generate New Self Signed Certificate

Create the signing request, then sign it with your CA. If you generate a new certificate with the CA script, it will not be signed at all. This method keeps track of all certificate in the CA directory. This tracking mechanism allows a certificate to be revoked should it become compromised during it’s lifetime.

 

Then sign it

 

Verifiy it

 

Special Operations

Modify CA Script to Prevent Key Encryption

There are times when an administrator would like to generate a key that is not encrypted. For example this will allow the key to start in apache, postfix, dovecot, or vsftpd. This can be done by modifying CA.

 

Change from:

 

This tells openssl not to encrypt the generated private key. This option stands for no DES.

 

 

Conclusion

These commands can be much easier to memorize and use than raw openss with all of it’s options. This method also tracks certs and enables a sane method for tracking active and revoked certs.

 

Post a Reply

Your email address will not be published.