« Fedora 14 preupgrade doesn't require user interaction | Setting up sendmail to use a client certificate » |
Signing a certificate with your own certificate authority
Wednesday, November 10, 2010
In this post I'll describe how to quickly get set up as your own certificate authority and sign a certificate.
First, generate the CA certificate, making sure to fill in the Country Name, State or Province Name, and Common Name:
# cd /etc/pki/tls/certs/ # openssl req -new -x509 -extensions v3_ca -keyout ca.key -out ca.crt -days 3650
Next, generate a key and a certificate signing request. This can be done on a different machine. Again, be sure to fill in the three fields mentioned above.
# openssl genrsa -out server.key 1024 # openssl req -new -key server.key -out server.csr
When this is done, send the CSR file to the CA to be signed, and sign it:
# openssl ca -in server.csr -cert ca.crt -keyfile ca.key -out server.crt -days 3650
Depending on your distribution and configuration, the CA signing process might complain about certain files or directories not being found the first time this is run. If so, the index.txt
file should be empty, and the serial
file should contain the number 01.
For example, on Fedora/Redhat systems you can do this:
# touch /etc/pki/CA/index.txt # echo '01' > /etc/pki/CA/serial
Now you're done! The files server.key
and server.crt
have the private key and the public certificate. You can verify the cert with:
$ openssl verify -CAfile ca.crt server.crt
Comments
There are no comments.