Markdown Content - OpenSSL Certificate Authority

---
# OpenSSL Certificate Authority

**URL:** https://crunchtools.com/openssl-ca/
Date: 2012-10-25
Author: fatherlinux
Post Type: post
Summary: Background Recently, I discovered how to use the openssl provided CA script to create a certificate authority and self signed certificates. Traditionally, I had ran all fo the commands manually. When using the CA script it is critical to understand the underlying security concepts. Certificate Authority Openssl has infrstructure to create a long lived CertificateContinue Reading "OpenSSL Certificate Authority" →
Categories: Articles
Tags: Best Practices, Security, Systems Administration
---

## Background

 Recently, I discovered how to use the [openssl](http://www.openssl.org/) provided CA script to create a [certificate authority](http://en.wikipedia.org/wiki/Certificate_authority) and [self signed certificates](http://en.wikipedia.org/wiki/Self-signed_certificate). Traditionally, I had ran all fo the commands manually. When using the CA script it is critical to understand the underlying security concepts.

### Certificate Authority

Openssl has infrstructure to create a long lived Certificate Authority

`/etc/pki/CA`
 

Certificates signed are tracked. Index file is database for certs in '''newcerts'''

/etc/pki/CA/serial
/etc/pki/CA/index.txt
/etc/pki/CA/newcerts
 

Scripts which come with the openssl package on RHEL can be used to build a certificate authority, complete signing requests, signings, verification

`/etc/pki/tls/misc/CA -h`
 

[toc]

## Basics

### Configure a Certificate Authority (Openssl Infrastructure)

Setup openssl.conf file

`vim /etc/pki/tls/openssl.conf`
 

Defaults

private_key = cakey.pem
certificate = cacert.pem
crl = crl.pem
 

Customizations
countryName_default		= US
stateOrProvinceName_default	= Ohio
localityName_default		= Akron
0.organizationName_default	= Crunchtools
 

Create the certificate authority. Remember to put in a Common Name, or the Certificate Authority will not be built correctly and will be unusable.
`/etc/pki/tls/misc/CA -newca`
 

### Generate New Self Signed Certificate

Create the signing request, then sign it with your CA. If you generate a new certificate with the CA script, it will not be signed at all. This method keeps track of all certificate in the CA directory. This tracking mechanism allows a certificate to be revoked should it become compromised during it's lifetime.

`/etc/pki/tls/misc/CA -newreq`
 

Then sign it

`/etc/pki/tls/misc/CA -sign`
 

Verifiy it

`/etc/pki/tls/misc/CA -verify`
 

## Special Operations

### Modify CA Script to Prevent Key Encryption 

There are times when an administrator would like to generate a key that is not encrypted. For example this will allow the key to start in apache, postfix, dovecot, or vsftpd. This can be done by modifying CA.

`vim /etc/pki/tls/misc/CA`
 

Change from:

`REQ="$OPENSSL req $SSLEAY_CONFIG"`
 

This tells openssl not to encrypt the generated private key. This option stands for no DES.
`REQ="$OPENSSL req -nodes $SSLEAY_CONFIG"`
 

 

## Conclusion

These commands can be much easier to memorize and use than raw openss with all of it's options. This method also tracks certs and enables a sane method for tracking active and revoked certs.

 

---

## Categories

- Articles

---

## Navigation

- [Home](https://crunchtools.com/)
- [Articles](https://crunchtools.com/category/articles/)
- [Events](https://crunchtools.com/category/events/)
- [News](https://crunchtools.com/category/news/)
- [Presentations](https://crunchtools.com/category/presentations/)
- [Software](https://crunchtools.com/software/)
- [Beaver Backup](https://crunchtools.com/software/beaver-backup/)
- [Check BGP Neighbors](https://crunchtools.com/software/check-bgp-neighbors-nagios/)
- [Chev](https://crunchtools.com/software/chev-check-vulnerabilities-script/)
- [Graph BGP Neighbors](https://crunchtools.com/software/grpah-bgp-neighbors/)
- [Graph MySQL Stats](https://crunchtools.com/software/graph-mysql-stats/)
- [Graph Sockets Pipes Files](https://crunchtools.com/software/graph-sockets-pipes-files/)
- [MCP Servers](https://crunchtools.com/software/mcp-servers/)
- [Petit](https://crunchtools.com/software/petit/)
- [Racecar](https://crunchtools.com/software/racecar/)
- [Shiva](https://crunchtools.com/software/shiva/)
- [About](https://crunchtools.com/about/)
- [Home](https://crunchtools.com)

## Tags

- Best Practices
- Security
- Systems Administration