Re: /etc/pki certificate questions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Daniel B. Thurman wrote:
> Does anyone recommend a very good site for dealing with the
> above issues?

A site is not really required. It can be covered in one email.

I suggest creating a CA for yourself and then creating certs against 
that CA. It will make updating your certs easier (unless you just want 
to use 10+ year limits on all of your certs).

-Create CA
1. Make a ~/sslcerts, or whatever name you wish, directory.
2. Copy your /etc/pki/tls/openssl.cnf to your local directory. Make
    changes to the new copy to match your environment.
3. Create your CA inside of your local directory:
mkdir certs private
touch index.txt
echo 01 > serial
openssl genrsa -out private/local_ca_cert.key 2048 \
openssl req -config openssl.cnf -new -x509 -days 3650 \
-key private/local_ca_cert.key -out local_ca_cert.crt -extensions v3_ca
(Change 3650 to however long you want your CA to last)

-Create user certs
Create the user certs from inside the ~/sslcerts directory:
openssl genrsa -out certs/${user}.key 2048
openssl req -config openssl.cnf -new -nodes -out certs/${user}.csr \ 
-key certs/${user}.key
openssl ca -config openssl.cnf -keyfile private/local_ca_cert.key \
-cert ${caname}_ca_cert.crt -out certs/${user}.crt -outdir \
certs -infiles certs/${user}.csr

Rinse and repeat for each $user. Copy the CA public key and user 
private/public keys to a directory of your choice (possibly /etc/pki/) 
to allow dovecot, httpd, or whatever daemon you wish to deploy TLS to 
have access to them.
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux