Difference between revisions of "How to create SSL CA Cert Server"
| Line 1: | Line 1: | ||
| − | |||
| − | |||
| − | |||
OpenSSL needs to have a CA directory created in order to sign crt requests. Use the following steps to create a CA server, then generate/sign keys: | OpenSSL needs to have a CA directory created in order to sign crt requests. Use the following steps to create a CA server, then generate/sign keys: | ||
| Line 15: | Line 12: | ||
Now to generate and sign a cert: | Now to generate and sign a cert: | ||
| + | |||
| + | #Create a Certificate Authority private key (this is your most important key): | ||
| + | openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key | ||
| + | #Create your CA self-signed certificate: | ||
| + | openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem | ||
| + | #Issue a client certificate by first generating the key, then request (or use one provided by external system) then sign the certificate using private key of your CA: | ||
| + | openssl genrsa -out client.key 1024 | ||
| + | openssl req -new -key client.key -out client.csr | ||
| + | openssl ca -in client.csr -out client.cer | ||
| + | |||
| + | |||
| + | |||
| + | *[https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.2/html/Developer_Guide/Creating_an_SSL_Certificate.html CA Issue Source] | ||
| + | *[http://superuser.com/questions/126121/how-to-create-my-own-certificate-chain/418429 Generate SSl Chain] | ||
Revision as of 22:42, 3 March 2016
OpenSSL needs to have a CA directory created in order to sign crt requests. Use the following steps to create a CA server, then generate/sign keys:
Run the following to create a CA directory:
cd /etc/pki/ mv CA CA.original CA.pl -newca mv demoCA CA
Fix CA issues:
touch /etc/pki/CA/index.txt echo '1000' > /etc/pki/CA/serial
Now to generate and sign a cert:
- Create a Certificate Authority private key (this is your most important key):
openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
- Create your CA self-signed certificate:
openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem
- Issue a client certificate by first generating the key, then request (or use one provided by external system) then sign the certificate using private key of your CA:
openssl genrsa -out client.key 1024 openssl req -new -key client.key -out client.csr openssl ca -in client.csr -out client.cer
