OpenSSL Certificate Authority

Background

Recently, I discovered how to use the openssl provided CA script to create a certificate authority and self signed certificates. Traditionally, I had ran all fo the commands manually. When using the CA script it is critical to understand the underlying security concepts.

Certificate Authority

Openssl has infrstructure to create a long lived Certificate Authority

/etc/pki/CA

 

Certificates signed are tracked. Index file is database for certs in ”’newcerts”’

/etc/pki/CA/serial
/etc/pki/CA/index.txt
/etc/pki/CA/newcerts

 

Scripts which come with the openssl package on RHEL can be used to build a certificate authority, complete signing requests, signings, verification

/etc/pki/tls/misc/CA -h

 

 

Basics

Configure a Certificate Authority (Openssl Infrastructure)

Setup openssl.conf file

vim /etc/pki/tls/openssl.conf

 

Defaults

private_key = cakey.pem
certificate = cacert.pem
crl = crl.pem

 

Customizations

countryName_default     = US
stateOrProvinceName_default = Ohio
localityName_default        = Akron
0.organizationName_default  = Crunchtools

 

Create the certificate authority. Remember to put in a Common Name, or the Certificate Authority will not be built correctly and will be unusable.

/etc/pki/tls/misc/CA -newca

 

Generate New Self Signed Certificate

Create the signing request, then sign it with your CA. If you generate a new certificate with the CA script, it will not be signed at all. This method keeps track of all certificate in the CA directory. This tracking mechanism allows a certificate to be revoked should it become compromised during it’s lifetime.

/etc/pki/tls/misc/CA -newreq

 

Then sign it

/etc/pki/tls/misc/CA -sign

 

Verifiy it

/etc/pki/tls/misc/CA -verify

 

Special Operations

Modify CA Script to Prevent Key Encryption

There are times when an administrator would like to generate a key that is not encrypted. For example this will allow the key to start in apache, postfix, dovecot, or vsftpd. This can be done by modifying CA.

vim /etc/pki/tls/misc/CA

 

Change from:

REQ="$OPENSSL req $SSLEAY_CONFIG"

 

This tells openssl not to encrypt the generated private key. This option stands for no DES.

REQ="$OPENSSL req -nodes $SSLEAY_CONFIG"

 

 

Conclusion

These commands can be much easier to memorize and use than raw openss with all of it’s options. This method also tracks certs and enables a sane method for tracking active and revoked certs.

 

Tags: , ,

No comments yet.

Leave a Reply