Recently, I discovered how to use the openssl provided CA script to create a certificate authority and self signed certificates. Traditionally, I had ran all fo the commands manually. When using the CA script it is critical to understand the underlying security concepts.
Openssl has infrstructure to create a long lived Certificate Authority
Certificates signed are tracked. Index file is database for certs in ”’newcerts”’
Scripts which come with the openssl package on RHEL can be used to build a certificate authority, complete signing requests, signings, verification
Configure a Certificate Authority (Openssl Infrastructure)
Setup openssl.conf file
private_key = cakey.pem
certificate = cacert.pem
crl = crl.pem
countryName_default = US
stateOrProvinceName_default = Ohio
localityName_default = Akron
0.organizationName_default = Crunchtools
Create the certificate authority. Remember to put in a Common Name, or the Certificate Authority will not be built correctly and will be unusable.
Generate New Self Signed Certificate
Create the signing request, then sign it with your CA. If you generate a new certificate with the CA script, it will not be signed at all. This method keeps track of all certificate in the CA directory. This tracking mechanism allows a certificate to be revoked should it become compromised during it’s lifetime.
Then sign it
Modify CA Script to Prevent Key Encryption
There are times when an administrator would like to generate a key that is not encrypted. For example this will allow the key to start in apache, postfix, dovecot, or vsftpd. This can be done by modifying CA.
REQ="$OPENSSL req $SSLEAY_CONFIG"
This tells openssl not to encrypt the generated private key. This option stands for no DES.
REQ="$OPENSSL req -nodes $SSLEAY_CONFIG"
These commands can be much easier to memorize and use than raw openss with all of it’s options. This method also tracks certs and enables a sane method for tracking active and revoked certs.