Linux Tutorials
Building Hadoop Clusters On Linux In EC2
Installing And Using Hadoop
Setting Up SSH Keys Using SSH Agents And Tunnels
Creating OpenSSL Certificates and Certificate Authorities
Installing and configuring Xen
IPTables Primer
Linux Basic Bash Scripting

Creating OpenSSL Certificates and Certificate Authorities

Creating an internal Certificate Authority

Creating a Certificate Authority (CA) can be useful. Save money on intranet sites by not having to pay for certificate registration for each internal web server. The internal CA cert needs to be installed in the browser. First though OpenSSL needs to be configured.

Edit /etc/ssl/openssl.cnf and make the following adjustments.

default_ca = RootCA
Change [ CA_default ] to [ RootCA ]
dir = /path/to/store/RootCA
new_certs_dir = $dir/newcerts
default_md = sha1
certificate = $dir/certs/cacert.pem
Adjust values under [ req_distinguished_name ] to fit your company

A central directory strucutre is needed to store the certificates issues by the internal CA. The certificate authority will store each certificate based on a generated serial number. The serial number is simply an incremented number stored in /path/to/store/RootCA/serial. The file is initially seeded with 01. Once cert 01 has been generated OpenSSL will increment the serial file.

# mkdir /path/to/store/RootCA
# cd /path/to/store/RootCA
# mkdir certs newcerts crl private
# touch index.txt
# echo "01" > serial

SSL encryption depends on large prime numbers and random data to generate keys. Generate some random seed data for building the RootCA private key. The following command generates 1024 bytes of base64 encoded pseudo random data.

# openssl rand -base64 1024 > /path/to/store/RootCA/private/.rand

Time to generate the private key. This creates a 2048 bit triple DES (DES3) encrypted private key. Use a very secure password for this key.

# openssl genrsa -des3 -out private/cakey.pem -rand private/.rand 2048
1390 semi-random bytes loaded
Generating RSA private key, 2048 bit long modulus
......................................................+++
......................+++
e is 65537 (0x10001)
Enter pass phrase for private/cakey.pem:
Verifying - Enter pass phrase for private/cakey.pem:

Generate the certificate with OpenSSL. Create a certificate valid for 5 years based on the private key and store it in the certs directory. This is the file that will be published to browsers later on.

# openssl req -new -x509 -days 1827 -key private/cakey.pem -out certs/cacert.pem
Enter pass phrase for private/cakey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Georgia
Locality Name (eg, city) []:Atlanta
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Higherpass
Organizational Unit Name (eg, section) []:Cert Authority
Common Name (eg, YOUR name) []:higherpass.com
Email Address []:ssl@higherpass.com

Setup the certs in the CA storage directories.

# cd /path/to/store/RootCA/certs
# cp cacert.pem 00.pem
# ln -s 00.pem `openssl x509 -hash -noout -in 00.pem`.0

Create a key in the RootCA

Create a key signed the new RootCA.

# cd /path/to/store/RootCA
# touch index.txt

Renegerate fresh random data:

# rm /path/to/store/RootCA/private/.rand
# openssl rand -base64 1024 > /path/to/store/RootCA/private/.rand

Generate the private key

# openssl genrsa -out server.key.pem -rand private/.rand 2048
1390 semi-random bytes loaded
Generating RSA private key, 2048 bit long modulus
............+++
...................+++
e is 65537 (0x10001)
[;P:] Generate certificate signing request: [;/P:]
# openssl req -new -key server.key.pem -out server.req.pem 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Georgia
Locality Name (eg, city) []:Atlanta
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Higherpass
Organizational Unit Name (eg, section) []:SSL
Common Name (eg, YOUR name) []:ssl.higherpass.com
Email Address []:ssl@higherpass.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Sign the certificate request with the RootCA certificate. This will generate a certificate that when combined with the RootCA certificate installed in the browser will allow browsing SSL websites without popups unsigned/unknown SSL certificates.

# openssl ca -name RootCA -in server.req.pem -out server.cert.pem
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for /root/RootCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Aug  8 22:28:13 2009 GMT
            Not After : Aug  8 22:28:13 2010 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = Georgia
            organizationName          = Higherpass
            organizationalUnitName    = SSL
            commonName                = ssl.higherpass.com
            emailAddress              = ssl@higherpass.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                2D:F1:87:CD:B0:B7:88:6E:F1:9B:54:84:94:9B:6D:E2:B3:7D:07:87
            X509v3 Authority Key Identifier: 
                keyid:D0:B0:60:1A:9D:C7:F5:7E:48:5E:2F:A6:D0:88:D4:F7:7D:72:C7:78
 
Certificate is to be certified until Aug  8 22:28:13 2010 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Copy the certificate into the RootCA storage directories. Also setup a symlink to the key from the keys hash.

# mv newcerts/01.pem certs/
# cd certs
# ln -s 01.pem `openssl x509 -hash -noout -in 01.pem`.0
Creating a Self Signed Certificate <<  1 2
New Content