Difference between revisions of "How to create SSL CA Cert Server"
(→Testing) |
(→Testing) |
||
Line 33: | Line 33: | ||
== Testing == | == Testing == | ||
openssl s_client -connect domainname:993 | openssl s_client -connect domainname:993 | ||
− |
Revision as of 23:10, 3 March 2016
OpenSSL needs to have a CA directory created in order to sign crt requests. Use the following steps to create a CA server, then generate/sign keys:
Run the following to create a CA directory:
cd /etc/pki/ mv CA CA.original CA.pl -newca mv demoCA CA
Fix CA issues:
touch /etc/pki/CA/index.txt echo '1000' > /etc/pki/CA/serial
Now to generate and sign a cert:
openssl genrsa -out client.key 1024 openssl req -new -key client.key -out client.csr openssl ca -in client.csr -out client.cer
Revoking SSL Cert:
In the default configuration, openssl will keep copies of all signed certificates in /etc/pki/CA/newcerts, named by its index number. So grep /etc/pki/index.txt to obtain the serial number of the key to be revoked, e.g. 1000, then execute the following command:
cat /etc/pki/CA/index.txt
The following line will appear:
V 170303223153Z 1000 unknown /C=CA/ST=British Columbia/O=HyperSecurity Solutions/OU=Mail/CN=mail.hypersecuresolutions.com/emailAddress=info@hypersecuresolutions.com
Then run the following to revoke the cert:
openssl ca -revoke /etc/pki/CA/newcerts/1000.pem
Testing
openssl s_client -connect domainname:993