linux certificate authority server installation – centos 7

# CREATE DIRECTORIES AND CONFIGS FOR ROOT CA
mkdir -p /data/ca
cd /data/ca
mkdir certs crl newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial
wget http://store.alexlinux.com/configs/openssl/ownCA/openssl_root_CA.cnf
mv openssl_root_CA.cnf openssl.cnf
openssl genrsa -aes256 -out private/ca.key 4096

Enter pass phrase for private/ca.key:123123
Verifying – Enter pass phrase for private/ca.key:123123

chmod 400 private/ca.key
openssl req -config openssl.cnf -key private/ca.key -new -x509 -days 7300 \
-sha256 -extensions v3_ca -out certs/ca.crt

Enter pass phrase for private/ca.key:123123
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [RU]:ENTER
State or Province Name (full name) [Moscow]:ENTER
Locality Name (eg, city) [Moscow]:ENTER
Organization Name (eg, company) [Alexlinux Ltd]:ENTER
Common Name (eg, your name or your server’s hostname)
[Alexlinux Root CA]:ENTER
ca@alexlinux.com []:ENTER

# SET PERMISSIONS
chmod 444 certs/ca.crt
# CREATE DIRECTORIES AND CONFIGS FOR INTERMEDIATE CA
mkdir -p /data/ca/intermediate
cd /data/ca/intermediate
mkdir certs crl csr newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial
echo 1000 > /data/ca/intermediate/crlnumber
wget http://store.alexlinux.com/configs/openssl/ownCA/openssl_intermediate_CA.cnf
mv openssl_intermediate_CA.cnf openssl.cnf
cd /data/ca
# GENERATE PRIVATE KEY FOR INTERMEDIATE CA
openssl genrsa -aes256 -out intermediate/private/intermediate.key 4096

Enter pass phrase for intermediate/private/intermediate.key:
123123
Verifying – Enter pass phrase for intermediate/private/intermediate.key:
123123

chmod 400 intermediate/private/intermediate.key
# GENERATE CSR FROM PRIVATE KEY
openssl req -config intermediate/openssl.cnf -new -sha256 -key \
intermediate/private/intermediate.key -out intermediate/csr/intermediate.csr

Enter pass phrase for intermediate/private/intermediate.key:
123123
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [RU]:ENTER
State or Province Name [Moscow]:ENTER
Locality Name [Moscow]:ENTER
Organization Name [Alexlinux Ltd]:ENTER
Organizational Unit Name [Security]:ENTER
Common Name [Alexlinux Intermediate CA]:ENTER
Email Address [ca@alexlinux.com]:ENTER

# CREATE CERTIFICATE FROM CSR
openssl ca -config openssl.cnf -extensions v3_intermediate_ca -days 3650 \
-notext -md sha256 -in intermediate/csr/intermediate.csr \
-out intermediate/certs/intermediate.crt

Enter pass phrase for /data/ca/private/ca.key:123123
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Jan 6 18:36:56 2017 GMT
Not After : Jan 4 18:36:56 2027 GMT
Subject:
countryName = RU
stateOrProvinceName = Moscow
organizationName = Alexlinux Ltd
organizationalUnitName = Security
commonName = Alexlinux Intermediate CA
emailAddress = ca@alexlinux.com
X509v3 extensions:
X509v3 Subject Key Identifier:
F6:A4:FA:89:0F:4F:AC:C0:C7:B9:75:E7:06:D1:2B:E6:6F:A7:5A:9B
X509v3 Authority Key Identifier:
keyid:96:97:C2:46:AB:BB:43:31:31:97:83:14:22:0E:08:CF:F8:96:07:69

X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Certificate is to be certified until Jan 4 18:36:56 2027 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

chmod 444 intermediate/certs/intermediate.crt

# CREATE CHAIN
cat intermediate/certs/intermediate.crt certs/ca.crt \
> intermediate/certs/ca-chain.crt
chmod 444 intermediate/certs/ca-chain.crt

# GENERATE KEYS FOR WEB SERVER
openssl genrsa -aes256 \
-out intermediate/private/www.alexlinux.com.key 2048

Enter pass phrase for intermediate/private/www.alexlinux.com.key:
123123
Verifying – Enter pass phrase for intermediate/private/www.alexlinux.com.key:
123123

chmod 400 intermediate/private/www.alexlinux.com.key
wget http://store.alexlinux.com/configs/openssl/ownCA/openssl_web.cnf
openssl req -config openssl_web.cnf \
-key intermediate/private/www.alexlinux.com.key -new -sha256 -out \
intermediate/csr/www.alexlinux.com.csr

Enter pass phrase for intermediate/private/www.alexlinux.com.key:
123123
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [RU]:ENTER
State or Province Name [Moscow]:ENTER
Locality Name [Moscow]:ENTER
Organization Name [Alexlinux Ltd]:ENTER
Organizational Unit Name [Security]:ENTER
Common Name [www.alexlinux.com]:ENTER
Email Address [ca@alexlinux.com]:ENTER

# SIGN CERTIFICATE FOR WWW.ALEXLINUX.COM
openssl ca -config openssl_web.cnf -extensions server_cert -days 375 \
-notext -md sha256 -in intermediate/csr/www.alexlinux.com.csr -out \
intermediate/certs/www.alexlinux.com.crt

Enter pass phrase for /data/ca/intermediate/private/intermediate.key:
123123
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Jan 6 18:43:44 2017 GMT
Not After : Jan 16 18:43:44 2018 GMT
Subject:
countryName = RU
stateOrProvinceName = Moscow
localityName = Moscow
organizationName = Alexlinux Ltd
organizationalUnitName = Security
commonName = www.alexlinux.com
emailAddress = ca@alexlinux.com
X509v3 extensions:
X509v3 CRL Distribution Points:

Full Name:
URI:http://ca.alexlinux.com/intermediate.crl

X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Subject Key Identifier:
61:AE:55:0C:3C:68:50:47:8C:73:0B:F8:0E:09:3B:E2:0D:FD:33:6B
X509v3 Authority Key Identifier:
keyid:F6:A4:FA:89:0F:4F:AC:C0:C7:B9:75:E7:06:D1:2B:E6:6F:A7:5A:9B
DirName:/C=RU/ST=Moscow/L=Moscow/O=Alexlinux Ltd/CN=Alexlinux Root CA
serial:10:00

X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
Certificate is to be certified until Jan 16 18:43:44 2018 GMT (375 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit?
[y/n]y
Write out database with 1 new entries
Data Base Updated

chmod 444 intermediate/certs/www.alexlinux.com.crt

in the next part of this tutorial I will show you how to install keys on nginx

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>