############# Creating Root Certificate Authority over Debian #############
By default - CA.pl (and CA.sh for that matter) together with openssl.cnf are set up so that everything happens in the local directory - with the CA store in ./demoCA. This isn't so very useful. So - let's make some decisions.
Our CA certificate will have a life of 10 years
Our SSL certificates will have a life of 2 years
We will store the CA information in /etc/ssl/ca (alongside the other ssl files).
############# Changes to CA.pl
Locate the variables at the top - DAYS and CADAYS. Change these lines to look like:
$DAYS="-days 730"; # 2 year
$CADAYS="-days 3650"; # 10 years
$CATOP="/etc/ssl/ca";
############# Changes to openssl.cnf
The first change must match the $CATOP variable from CA.pl - we need to change the dir variable so that it looks like
dir = /etc/ssl/ca
We should also set the default number of days to match $DAYS:
default_days = 730
Generating the CA certificate and storage area
cd testCA/
/usr/lib/ssl/misc/CA.pl -newca
HINT: Your new cacert.pem file is now in /etc/ssl/ca/cacert.pem and can be distributed for installation in browsers etc.
############# Generating a certificate request
To create any server certificate for any reason, like PEAP or WEB servers
/usr/lib/ssl/misc/CA.pl -newreq
HINT: The vital point is that the CN of the certificate must be the domain name of the site you wish to secure. You can use *.example.com for a wildcard certificate
HINT: This will generate a newkey.pem and a newreq.pem. newkey.pem you need to keep for later - newreq.pem you would send off for signing - in this case to yourself - but you could also use it for purchasing a real certificate.
############# Signing a certificate request
Given a newreq.pem in the current working directory run
/usr/lib/ssl/misc/CA.pl -sign
HINT: This will sign the request and generate a newcert.pem with the signed certificate. You will have to enter the password for your CA key which you supplied when creating the CA key, certificate and store.
HINT: It's better to rename those files to something useful:
mv newcert.pem NPS_RADIUS_04.cert
mv newkey.pem NPS_RADIUS_04.key
############# Removing passphrase
Note - your certicate's key has a passphrase assigned during the -newreq phase. If you want your software to autostart this won't work - since it prompts for the password. To remove a passphrase:
openssl rsa -in NPS_RADIUS_04.key -out NPS_RADIUS_04.nopass.key
############# Installing the issued certificate in Windows 2008
openssl pkcs12 -export -out cert+key.nopass.p12 -in NPS_RADIUS_04.cert -inkey NPS_RADIUS_04.nopass.key
should convert the cert and key into a PKCS#12 file, which Windows will probably have an easier time dealing with.
References:
http://www.debian-administration.org/articles/618
No comments:
Post a Comment