Tuesday, November 27, 2012

Creating a Certificate Authority OR Self Signing

To create the private Certificate Authority we could make one as below..
How the whole thing works

1.First create Certificate Authority with needed credentials as per needed certificate details.To sign a certificate signing request the authority must have a certificate with same credentials as that of certificate signing request . so after configuring /etc/pki/tls/openssl.cnf with needed credential we need to create a private key and a certificate in the certificate authority

2.create the private key and certificate signing request at client side as per needed credential.

3.scp the certificate signing request csr from the client to the server which is the certificate authority and sign the csr with the certificate authority and get the certificate and send the certificate back to client

Signing of the certificate will be successful only if the the credentials in the certificate authorities certificate and that in certificate signing request matches

Packages needed are openssl*

In server where we need to create the certificate authority

cd /etc/pki/tls/openssl.cnf
In that file we need to change the following as per out need
dir             = /etc/pki/CA ----------------------> root directory of Certificate  authority
certificate     = $dir/my-ca.crt  ------------------> Certificate of the CA which is used to check against the csr
crl             = $dir/crl.pem    ------------------> certificate revocation list if the certificate is compromised
private_key     = $dir/private/my-ca.key -----------> private key of Certificate authority used to create the CA's certificate

#######Basic Credentials that should be same in both csr and the certificate in CA

stateOrProvinceName_default     = North Carolina
localityName_default            = Raleigh
0.organizationName_default      = Example, Inc.

#######There are more credentials which are used in certificate creation

#######Make the needed directories in CA

mkdir /etc/pki/CA/{cert,crl,newcerts}
touch /etc/pki/CA/index.txt
echo 01 > /etc/pki/CA/serial

NOW Creating the CA's private key and CERTIFICATE in corresponding places

cd /etc/pki/CA

openssl genrsa -out private/my-ca.key -des3 2048
openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt

Creating privet key and Certificate Signing Request at client side
Creating private key

openssl genrsa -out private.key -des3 2048

Creating certificate sigining request with private key

openssl req -new -key private.key -out certificate.csr

here you will be asked for needed credentials ..Remember if the credentials are different in csr and ca the signing will be failure

With certificate.csr in Certificate Authority server we can sign the certificate

openssl ca -in certificatecsr.csr -out certificate.crt

here the ca implies that it will use the configuration from /etc/pki/tls/openssl.cnf to sign the signing request.

Or the other way is to self sign as follow after creating the private key and csr we could do self signing as follows

openssl  x509 -req -days 365 -in  certificate.csr -signkey private.key -out certificate.crt

No comments:

Post a Comment