Certificate Setup
Openssl.cnf
Setup Certificate Authority
Troubleshooting
About
This how to lists the steps needed to create a certificate authority and sign a certificate for use with internal webservers, mail servers, and LDAP databases.
Prerequisites:
- openssl
Certificate (SSL/TLS) Setup
With openssl installed, make a directory where you will keep your cert files. In this example, we will use /var/sitename-ssl.
# mkdir -p /var/sitename-ssl
openssl.cnf
SuSE places the system-wide openssl.cnf in /etc/ssl. This file should be edited to provide defaults for your system. In /etc/ssl/openssl.cnf, change dir = ./demoCA to the name of the directory you just created. For example, dir = /var/sitename-ssl.
[ CA_default ]
dir = /var/sitename-ssl # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
Adjust the default values for your system in the [ req_distinguished_name ] section.
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Washington
localityName = City or Town Name
localityName_default = Seattle
0.organizationName = Organization Name (eg, company)
0.organizationName_default = erikberg.com
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, YOUR name for CA; hostname for Certificates)
commonName_default =
commonName_max = 64
emailAddress = Email Address (eg, user@domain.com)
emailAddress_default = ca@erikberg.com
emailAddress_max = 64
Setup CA.pl Script
The SuSE OpenSSL package comes with a Perl script that we will use to create our Certificate Authority and Certificate Signing Requests. The script is located in /usr/share/ssl/misc/CA.pl. We need to make changes to this script so copy it to a personal location so it is not overwritten by openssl package updates.
# cd /var/sitename-ssl # cp /usr/share/ssl/misc/CA.pl .
Edit CA.pl and find the $CATOP="./demoCA"; variable. Modify it like so:
$CATOP=".";
$CAKEY="cakey.pem";
$CACERT="cacert.pem";
Run the CA.pl script to create your new Certificate Authority.
# pwd /var/sitename-ssl # ./CA.pl -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key ....++++++ .............................++++++ writing new private key to './private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [Washington]: City or Town Name [Seattle]: Organization Name (eg, company) [erikberg.com]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name for CA; hostname for Certificates) []:Erik Berg CA Email Address (eg, user@domain.com) [ca@erikberg.com]:
That creates your private key for your Certificate Authority. The next step is to create a certificate request for your CA to sign. Take care to enter the full hostname of the server where you wish to use the certificate. Wildcards are also valid here eg, *.erikberg.com would create a certificate request that would be valid on anyhost.erikberg.com.
# ./CA.pl -newreq-nodes Generating a 1024 bit RSA private key ...........................++++++ ........................................................++++++ writing new private key to 'newreq.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [Washington]: City or Town Name [Seattle]: Organization Name (eg, company) [erikberg.com]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name for CA; hostname for Certificates) []:fore.erikberg.com Email Address (eg, user@domain.com) [ca@erikberg.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request (and private key) is in newreq.pem
Now, you are ready to sign the certificate. Use the following command:
# ./CA.pl -signreq Using configuration from /etc/ssl/openssl.cnf Enter pass phrase for /var/ssltest/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Dec 4 20:05:15 2004 GMT Not After : Dec 4 20:05:15 2005 GMT Subject: countryName = US stateOrProvinceName = Washington localityName = Seattle organizationName = erikberg.com commonName = fore.erikberg.com emailAddress = ca@erikberg.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: E0:65:26:00:C4:75:11:BE:E6:B0:10:D7:7F:B2:2F:46:57:F3:49:2F X509v3 Authority Key Identifier: keyid:3B:4F:A8:7C:5F:06:D9:03:65:61:86:10:A3:1A:2D:3E:4E:21:DD:8F DirName:/C=US/ST=Washington/L=Seattle/O=erikberg.com/CN=Erik Berg CA/emailAddress=ca@erikberg.com serial:00 Certificate is to be certified until Dec 4 20:05:15 2005 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Signed certificate is in newcert.pem
OK, you have a signed certificate and a key. The private key is in newreq.pem and the certificate is in newcert.pem. Take the private key and the certificate (the bold sections below) and create a new file named server.pem.
# cat newreq.pem -----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQCzMzVUYcROM8I+jok/Z1tT7y5Rr7e/jilcqhjpMGjUIiN0LeRp 7z9bHAWsthpuzwCj/2aeRC91ylbzvxJLTxx4ssk/8dLKjk0G4GrN2RBd018zGNpK l8JalnrDUJ8MA/ohUJV9cR2vMzT0XZpl3v8qvU9Of2FBGOQ1Qybv527xxwIDAQAB AoGAUwct9WvbBZTLsipegwcDdK9EWcq9qz5WAb46DolEeM1cee7tfvu/8hnYsz4o nyDAHjwusrPK/ZuDkCn+cvAzsx3S7jlmzLjEhEPftYWRZatUGdBpVoVP8J8qgftT o0UmnNKrtJEwu/6XQvTJREzT4tr0Wng5tQ5O1nH3LNZb6QECQQDkv+adlpMLhC+8 WELQPJu+mDk+J/giFANQAa1qdu5CTtW1znLwkLA7hSd25kLTs9c2cvMqG9SliGRy osmQgQ+BAkEAyIw19Y6+l5byZxa4r0jmyn7qxpiq+ih4Lf0tbBlxEjE6Adj2et/T nSNhqVnksH5PS8A+uyfJgludjHmJf2YlRwJBAL6hjjbWPUTjrERx6XxQhhqYEVxT Qt5jfz81pqeK5ZQszrzsh60jZzqzBOh5jEeRIFEoCq2U8+nfeJZwQzpB1AECQAQD AgVSgK+Jnnm/c5xWCf/dABdO8ISmkJji6qix7Zgekfl9fJjCp3oKPibkHHYHYNC0 HM0jo51O9dzchYqd4XsCQQCHi5BkLppFVvFWTu9Amf+3CE0KQaTawBF7t06IOave 9RccFJRaVMH/xCTVUPRbP2mMYl9LqKv0o7Xl7PINL9zm -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE REQUEST----- MIIByDCCATECAQAwgYcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9u MRAwDgYDVQQHEwdTZWF0dGxlMRUwEwYDVQQKEwxlcmlrYmVyZy5jb20xGjAYBgNV BAMTEWZvcmUuZXJpa2JlcmcuY29tMR4wHAYJKoZIhvcNAQkBFg9jYUBlcmlrYmVy Zy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALMzNVRhxE4zwj6OiT9n W1PvLlGvt7+OKVyqGOkwaNQiI3Qt5GnvP1scBay2Gm7PAKP/Zp5EL3XKVvO/EktP HHiyyT/x0sqOTQbgas3ZEF3TXzMY2kqXwlqWesNQnwwD+iFQlX1xHa8zNPRdmmXe /yq9T05/YUEY5DVDJu/nbvHHAgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQCUzmfb 8jl7YOynytUHssmC0SlwR1I+KtjveC8U0f/pv8jSsMzjziGXNtOylks8WDrqFOj9 zTxhWWXU6+vnAoukvm/tL3hrjPqqGur84FVW4jKmNv5oqA5+DHw0KpDHeAaiVSCR ygHhjYu/JX8m6DqQBM0+0w1UTJzEXnQEB5ixnA== -----END CERTIFICATE REQUEST-----
# cat newcert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=erikberg.com, CN=Erik Berg CA/ emailAddress=ca@erikberg.com Validity Not Before: Dec 3 06:48:01 2004 GMT Not After : Dec 3 06:48:01 2005 GMT Subject: C=US, ST=Washington, L=Seattle, O=erikberg.com, CN=fore.erikberg .com/emailAddress=ca@erikberg.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b3:33:35:54:61:c4:4e:33:c2:3e:8e:89:3f:67: 5b:53:ef:2e:51:af:b7:bf:8e:29:5c:aa:18:e9:30: 68:d4:22:23:74:2d:e4:69:ef:3f:5b:1c:05:ac:b6: 1a:6e:cf:00:a3:ff:66:9e:44:2f:75:ca:56:f3:bf: 12:4b:4f:1c:78:b2:c9:3f:f1:d2:ca:8e:4d:06:e0: 6a:cd:d9:10:5d:d3:5f:33:18:da:4a:97:c2:5a:96: 7a:c3:50:9f:0c:03:fa:21:50:95:7d:71:1d:af:33: 34:f4:5d:9a:65:de:ff:2a:bd:4f:4e:7f:61:41:18: e4:35:43:26:ef:e7:6e:f1:c7 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: FA:18:D2:37:54:32:C0:FB:A3:D7:1A:32:E2:B1:4F:77:03:A4:9B:6F X509v3 Authority Key Identifier: keyid:B2:4C:6D:87:84:E1:73:84:0A:6B:FB:75:E5:21:F9:27:7F:CB:B7:47 DirName:/C=US/ST=Washington/L=Seattle/O=erikberg.com/CN=Erik Berg CA/emailAddress=ca@erikberg.com serial:00 Signature Algorithm: md5WithRSAEncryption 54:07:32:f6:2f:f7:e9:16:d5:38:9f:16:e8:42:ed:ac:19:d0: 7d:ef:be:47:91:f2:27:6a:fa:24:00:f6:1f:23:bf:27:2c:88: df:4f:0a:05:07:a5:6f:ab:c5:b5:1b:6c:cb:2d:b5:7e:35:f1: f8:51:37:23:15:08:84:8d:e0:7d:cd:86:8b:20:5e:2d:34:88: 85:bd:c4:fb:7a:1c:bd:2f:e9:88:4e:b4:e4:af:95:8f:c5:ca: 77:bf:cf:a7:3e:40:10:ce:93:4f:b7:31:39:0a:e1:f1:01:a7: ad:82:b5:ed:07:6c:53:b8:d5:00:d4:7c:2e:c9:df:13:f2:7a: 36:b8 -----BEGIN CERTIFICATE----- MIIDkTCCAvqgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBgjELMAkGA1UEBhMCVVMx EzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxFTATBgNVBAoT DGVyaWtiZXJnLmNvbTEVMBMGA1UEAxMMRXJpayBCZXJnIENBMR4wHAYJKoZIhvcN AQkBFg9jYUBlcmlrYmVyZy5jb20wHhcNMDQxMjAzMDY0ODAxWhcNMDUxMjAzMDY0 ODAxWjCBhzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNV BAcTB1NlYXR0bGUxFTATBgNVBAoTDGVyaWtiZXJnLmNvbTEaMBgGA1UEAxMRZm9y ZS5lcmlrYmVyZy5jb20xHjAcBgkqhkiG9w0BCQEWD2NhQGVyaWtiZXJnLmNvbTCB nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAszM1VGHETjPCPo6JP2dbU+8uUa+3 v44pXKoY6TBo1CIjdC3kae8/WxwFrLYabs8Ao/9mnkQvdcpW878SS08ceLLJP/HS yo5NBuBqzdkQXdNfMxjaSpfCWpZ6w1CfDAP6IVCVfXEdrzM09F2aZd7/Kr1PTn9h QRjkNUMm7+du8ccCAwEAAaOCAQ4wggEKMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgEN BB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBT6GNI3 VDLA+6PXGjLisU93A6SbbzCBrwYDVR0jBIGnMIGkgBSyTG2HhOFzhApr+3XlIfkn f8u3R6GBiKSBhTCBgjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x EDAOBgNVBAcTB1NlYXR0bGUxFTATBgNVBAoTDGVyaWtiZXJnLmNvbTEVMBMGA1UE AxMMRXJpayBCZXJnIENBMR4wHAYJKoZIhvcNAQkBFg9jYUBlcmlrYmVyZy5jb22C AQAwDQYJKoZIhvcNAQEEBQADgYEAVAcy9i/36RbVOJ8W6ELtrBnQfe++R5HyJ2r6 JAD2HyO/JyyI308KBQelb6vFtRtsyy21fjXx+FE3IxUIhI3gfc2GiyBeLTSIhb3E +3ocvS/piE605K+Vj8XKd7/Ppz5AEM6TT7cxOQrh8QGnrYK17QdsU7jVANR8Lsnf E/J6Nrg= -----END CERTIFICATE-----
# sed -ne '/BEGIN RSA/,/END RSA/w server.pem' newreq.pem # sed -ne '/BEGIN/,/END/p' newcert.pem >> server.pem # cat server.pem -----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQCzMzVUYcROM8I+jok/Z1tT7y5Rr7e/jilcqhjpMGjUIiN0LeRp 7z9bHAWsthpuzwCj/2aeRC91ylbzvxJLTxx4ssk/8dLKjk0G4GrN2RBd018zGNpK l8JalnrDUJ8MA/ohUJV9cR2vMzT0XZpl3v8qvU9Of2FBGOQ1Qybv527xxwIDAQAB AoGAUwct9WvbBZTLsipegwcDdK9EWcq9qz5WAb46DolEeM1cee7tfvu/8hnYsz4o nyDAHjwusrPK/ZuDkCn+cvAzsx3S7jlmzLjEhEPftYWRZatUGdBpVoVP8J8qgftT o0UmnNKrtJEwu/6XQvTJREzT4tr0Wng5tQ5O1nH3LNZb6QECQQDkv+adlpMLhC+8 WELQPJu+mDk+J/giFANQAa1qdu5CTtW1znLwkLA7hSd25kLTs9c2cvMqG9SliGRy osmQgQ+BAkEAyIw19Y6+l5byZxa4r0jmyn7qxpiq+ih4Lf0tbBlxEjE6Adj2et/T nSNhqVnksH5PS8A+uyfJgludjHmJf2YlRwJBAL6hjjbWPUTjrERx6XxQhhqYEVxT Qt5jfz81pqeK5ZQszrzsh60jZzqzBOh5jEeRIFEoCq2U8+nfeJZwQzpB1AECQAQD AgVSgK+Jnnm/c5xWCf/dABdO8ISmkJji6qix7Zgekfl9fJjCp3oKPibkHHYHYNC0 HM0jo51O9dzchYqd4XsCQQCHi5BkLppFVvFWTu9Amf+3CE0KQaTawBF7t06IOave 9RccFJRaVMH/xCTVUPRbP2mMYl9LqKv0o7Xl7PINL9zm -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIDkTCCAvqgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBgjELMAkGA1UEBhMCVVMx EzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxFTATBgNVBAoT DGVyaWtiZXJnLmNvbTEVMBMGA1UEAxMMRXJpayBCZXJnIENBMR4wHAYJKoZIhvcN AQkBFg9jYUBlcmlrYmVyZy5jb20wHhcNMDQxMjAzMDY0ODAxWhcNMDUxMjAzMDY0 ODAxWjCBhzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNV BAcTB1NlYXR0bGUxFTATBgNVBAoTDGVyaWtiZXJnLmNvbTEaMBgGA1UEAxMRZm9y ZS5lcmlrYmVyZy5jb20xHjAcBgkqhkiG9w0BCQEWD2NhQGVyaWtiZXJnLmNvbTCB nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAszM1VGHETjPCPo6JP2dbU+8uUa+3 v44pXKoY6TBo1CIjdC3kae8/WxwFrLYabs8Ao/9mnkQvdcpW878SS08ceLLJP/HS yo5NBuBqzdkQXdNfMxjaSpfCWpZ6w1CfDAP6IVCVfXEdrzM09F2aZd7/Kr1PTn9h QRjkNUMm7+du8ccCAwEAAaOCAQ4wggEKMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgEN BB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBT6GNI3 VDLA+6PXGjLisU93A6SbbzCBrwYDVR0jBIGnMIGkgBSyTG2HhOFzhApr+3XlIfkn f8u3R6GBiKSBhTCBgjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x EDAOBgNVBAcTB1NlYXR0bGUxFTATBgNVBAoTDGVyaWtiZXJnLmNvbTEVMBMGA1UE AxMMRXJpayBCZXJnIENBMR4wHAYJKoZIhvcNAQkBFg9jYUBlcmlrYmVyZy5jb22C AQAwDQYJKoZIhvcNAQEEBQADgYEAVAcy9i/36RbVOJ8W6ELtrBnQfe++R5HyJ2r6 JAD2HyO/JyyI308KBQelb6vFtRtsyy21fjXx+FE3IxUIhI3gfc2GiyBeLTSIhb3E +3ocvS/piE605K+Vj8XKd7/Ppz5AEM6TT7cxOQrh8QGnrYK17QdsU7jVANR8Lsnf E/J6Nrg= -----END CERTIFICATE-----
Move server.pem to where your service can read it. . .
CentOS 6.7
# cd /etc/pki/tls/misc/ # # C=US, ST=Washington, L=Seattle, O=ebloft.sea, CN=fork.ebloft.sea # ./CA -newreq-nodes # cat newreq.pem # ./CA -signreq Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem: # cat newkey.pem # cat newcert.pem # #sed -ne '/BEGIN PRIV/,/END PRIV/w server.pem' newreq.pem # cp newkey.pem server.pem # sed -ne '/BEGIN/,/END/p' newcert.pem >> server.pem # cat server.pem # mv server.pem fork.ebloft.sea.pem
Revoke Expired Certificate
Expiring certificates must be revoked befroe they can be renewed to avoid openssl index DB error.
# openssl ca -revoke force.ebloft.sea.pem
Subject Alternative Name
Needed so accessing https://hostname and https://hostname.domainname.tld work for local LAN.
** openssl.cnf ** [ CA_default ] # Extension copying option: use with caution. copy_extensions = copy [ req ] req_extensions = v3_req # The extensions to add to a certificate request [ v3_req ] subjectAltName = @alt_names [alt_names] DNS.1 = force
Troubleshooting
- unable to get private key
- 0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:329:group=CA_default name=unique_subject
- error 20 at 0 depth lookup:unable to get local issuer certificate
