| Line 1... |
Line -... |
| 1 |
# generate a private key to be used by the CA
|
- |
|
| 2 |
openssl genrsa -des3 -out /root/certs/companyname_CA.key 4096
|
- |
|
| 3 |
# now, generate a .pem file to be used go sign. Note we are setting the ttl to
|
- |
|
| 4 |
# 3650 days (10 years) so we do not have to regen the CA very often. Adjust -days
|
- |
|
| 5 |
# to match your security needs
|
- |
|
| 6 |
openssl req -x509 -new -nodes -key companyname_CA.key -sha256 -days 3650 -out companyname_CA.pem
|
- |
|
| 7 |
|
1 |
# Scripts to Manipulate openssl
|
| - |
|
2 |
|
| - |
|
3 |
This is a set of scripts that manipulate openssl, allowing you to more easily generate local Certificates of Authority, create Server Certificates based signed by that CA, and deploy them.
|
| - |
|
4 |
|
| - |
|
5 |
## Set up System (config files)
|
| - |
|
6 |
|
| - |
|
7 |
First, create an openssl configuration file and a makeCert.conf file. Simplest solution is
|
| - |
|
8 |
|
| - |
|
9 |
```bash
|
| - |
|
10 |
cp openssl.cnf.sample openssl.cnf
|
| - |
|
11 |
cp makeCert.conf.sample makeCert.conf
|
| - |
|
12 |
```
|
| - |
|
13 |
|
| - |
|
14 |
Edit openssl.cnf. Be sure to set up the section *[req_distinguished_name]*. The section *[alt_names]* is a placeholder and will be ignored.
|
| - |
|
15 |
|
| - |
|
16 |
Edit makeCert.conf, making sure you change the values of \$caCRT and \$caKey to match your preferences (hint, use your company or network name). The 10 years for a CA (\$caDays) and the one year for a Server Certificate (*\$certDays*) are reasonable. Do not make them much longer than that; some applications will refuse to use them.
|
| - |
|
17 |
|
| - |
|
18 |
Some people will prefer to place their CA files into a subdirectory (or even someplace else on the file system), so caCRT and caKey take fully qualified path names. Keep the .crt and .key suffixes as that is pretty standardized.
|
| - |
|
19 |
|
| - |
|
20 |
If you want to place your Server Certificates in their own directory, change \$serverCertDir (just a directory name)
|
| - |
|
21 |
|
| - |
|
22 |
All paths must exist prior to running any scripts.
|
| - |
|
23 |
|
| - |
|
24 |
## Create a Certificate of Authority
|
| - |
|
25 |
|
| - |
|
26 |
```bash
|
| - |
|
27 |
./makeCA
|
| - |
|
28 |
```
|
| - |
|
29 |
|
| - |
|
30 |
This will create a Certificate of Authority (private .key and certificate .crt file) wherever defined in the config file. It will ask for a passphrased twice, when creating the key file, and then again when creating the crt. The passphrases must match, and must be more than 8 characters long.
|
| - |
|
31 |
|
| - |
|
32 |
This **crt** file should be deployed to all workstations which will access services using certificates created in the next section.
|
| - |
|
33 |
|
| - |
|
34 |
## Create Server Certificates
|
| - |
|
35 |
|
| - |
|
36 |
```bash
|
| - |
|
37 |
./makeCert DNS_Name [alias ...]
|
| - |
|
38 |
```
|
| - |
|
39 |
|
| - |
|
40 |
This will create a server certificate signed by the CA above, valid the first parameter (DNS_Name) and all subsequent parameters (alias). The files will be named based on the first parameter, and stored in the \$serverCertDir directory. The following four files will be created. Below, *name* is the first parameter to the command
|
| - |
|
41 |
|
| - |
|
42 |
- *name*.key - the private key for the Cert
|
| - |
|
43 |
|
| - |
|
44 |
- *name*.ext - A configuration file (extension) based on openssl.cnf and modified for this certificate. Only created if it does not exist.
|
| - |
|
45 |
|
| - |
|
46 |
- *name*.csr - A signing request (Certificate Signing Request) based on the extension file
|
| - |
|
47 |
|
| - |
|
48 |
- *name*.crt - The signed certificate
|
| - |
|
49 |
|
| - |
|
50 |
|
| - |
|
51 |
## Deploy Server Certificates
|
| - |
|
52 |
|
| - |
|
53 |
```bash
|
| - |
|
54 |
./deployCert hostname [certname]
|
| - |
|
55 |
```
|
| - |
|
56 |
|
| - |
|
57 |
This is a very simple script with limited abilities. It is designed to copy the two necessary files (.crt and .key) for a particular cert to hostname, using scp. It will then restart Apache on that hostname (via service apache2 reload)
|
| - |
|
58 |
|