Thomas Cameron wrote:
Paul Howarth wrote:
The approach I use to to create my own CA certificate and key and then
use that to sign the SSL certificates for all of my servers (e.g.
SMTP, IMAP, Web). At the client side, it's only necessary then to
import the CA certificate and everything just works.
Paul.
Paul -
How did you do that? I mean make the CA cert? The Dovecot and Sendmail
(in my case) certs are well documented, but I would love to know how you
generated your own CA certificate under FC.
The gist of it is:
1. Go to directory /etc/pki/tls/certs
2. Copy ../openssl.cnf to (say) mycompany.cnf and edit it to suit your
needs, for instance:
$ diff ../openssl.cnf mycompany.cnf
37c37
< dir = ../../CA # Where everything is kept
---
> dir = mycompany-ca # Where everything is kept
68c68
< default_days = 365 # how long to certify for
---
> default_days = 3650 # how long to certify for
133c133
< stateOrProvinceName_default = Berkshire
---
> stateOrProvinceName_default = My State
136c136
< localityName_default = Newbury
---
> localityName_default = My Locality
139c139
< 0.organizationName_default = My Company Ltd
---
> 0.organizationName_default = My Organisation
3. Create directory infrastructure for openssl to manage the certificates:
mkdir -p mycompany-ca/newcerts
echo 01 > mycompany-ca/serial
touch mycompany-ca/index.txt
4. Create the CA certificate and key:
(
echo ""
echo ""
echo ""
echo ""
echo "CA"
echo "My Name"
echo "myemail@xxxxxxxxxxx"
) | openssl req -config mycompany.cnf -new -x509 \
-passout pass:topsecretpassword \
-text \
-keyout mycompany-ca.key \
-out mycompany-ca.crt \
-days 3650
chmod 600 mycompany-ca.key
5. Make a hash link for your CA if necessary:
ln -s mycompany-ca.crt $(openssl x509 -noout -hash < mycompany-ca.crt).0
6. You can then make individual keys and certificates for each of your
applications, all signed using your new CA. For instance, for a web server:
(
echo ""
echo ""
echo ""
echo ""
echo "Web Server"
echo "www.example.com"
echo "webmaster@xxxxxxxxxxx"
echo "topsecretpassword"
echo "example.com"
) | openssl req -config mycompany.cnf -new -nodes \
-text \
-keyout mycompany-web.key \
-out mycompany-web.key \
-days 3650
openssl ca -config mycompany.cnf -batch \
-policy policy_anything \
-passin pass:topsecretpassword \
-keyfile mycompany-ca.key \
-cert mycompany-ca.crt \
-out mycompany-web.crt \
-infiles mycompany-web.key
chmod 600 mycompany-web.key
Obviously in all of the above change "mycompany", "example.com",
"topsecretpassword", "My Name" etc. to values appropriate to you.
If you want to see what each of the response fields (the echo commands
in parentheses in the commands above) are for, just run the openssl
command directly without piping input into it and enter your responses
to the prompts at the keyboard.
Paul.
