How do I configure a CA and sign certificates using OpenSSL in Red Hat Enterprise Linux?

Environment

• Red Hat Enterprise Linux
• openssl

Issue

• How do I configure a CA and sign certificates using OpenSSL in Red Hat Enterprise Linux?

Resolution

• Configuring the Certificate Authority
• Signing Certificates using the Certificate Authority
• Installing CA certificate on the Clients
• Make CA certificate available to Clients

Configuring the Certificate Authority

1. Set up /etc/pki/CA as your certificate authority's working directory. To do this, open /etc/pki/tls/openssl.cnf in a text editor. Find the section labelled "[CA_default]", and edit the following lines in the section to read:

dir = /etc/pki/CA
certificate = $dir/my-ca.crt
crl = $dir/my-ca.crl
private_key = $dir/private/my-ca.key

2. The "[req_distinguished_name]" section lists several default options you may want to change. For example, you may want to set new defaults for C, ST, L, and O to appropriate values for your organization, such as:

countryName_default = US
stateOrProvinceName_default = North Carolina
localityName_default = Raleigh
organizationName_default = Example, Inc.

3. Create some supporting directories for certificates and CRLs: The /etc/pki/CA directory should be owned as root.root and have permissions 0700. It should contain a private subdirectory with the same permissions:

# mkdir /etc/pki/CA/{certs,crl,newcerts}

4. Create an empty certificate index:

# touch /etc/pki/CA/index.txt

5. In addition, create a file to indicate the next certificate serial number to be issued:

# echo 01 > /etc/pki/CA/serial

6. Next, while in /etc/pki/CA, you need to generate a private key and a self-signed CA certificate. You will be prompted for a passphrase, which will be needed later:

# (umask 077; openssl genrsa -out private/my-ca.key -aes256 4096)

7. For your CA certificate, take the defaults for CountryName, StateOrProvinceName, LocalityName, and Organization, and for CommonName use"$hostname Certificate Authority". Set the other fields as you see fit:

# openssl req -new -x509 -key private/my-ca.key -days 730 > my-ca.crt

The /etc/pki/CA/private/my-ca.key file is the private key for your CA. This file must be very carefully protected. The my-ca.crt file is the public CA certificate that will eventually be distributed to your users.

At this point your CA is ready to sign certificates and can sign CSR (Certificate Signing Request) generated by different applications like LDAP, Dovecot, and Apache

Signing CA certificate using the Certificate Authority

1. Create a private key for the service from the application server

#  openssl genrsa -aes256 2048 > ldap_server.key

Make sure to set correct permissions for the key (It should not be world readable)

2. Create the certificate signing request

# openssl req -new -sha256 -key ldap_server.key  -out ldap_server.csr

Fill CountryName, StateOrProvinceName, LocalityName, and Organization when prompted, make sure to use the FQDN of the host for CommonName

3. Copy the CSR to openssl CA server.

4. Use openssl ca command to sign the CSR.

# openssl ca -config <path_toopenssl.cnf> -md sha256 -out ldap_server.crt -infiles ldap_server.csr

5. Copy the signed certificate to the server, Configure the server to use the singed certificate.

Installing CA certificate on the Clients

The clients require the CA certificate to trust the server certificates signed by this CA, copy/import the CA certificate to the clients.

For example, ldap clients expects the CA certificate to be present under /etc/openldap/cacerts directory, If apache server is configured to use SSL using the CA signed cert, the CA certificate has to be imported to the web browser.

Make CA certificate available to Clients

The CA may make its public certificate easily downloadable by clients. You can use httpd to do that.

1. Install httpd

# yum install httpd

2. Start httpd:

# chkconfig httpd on; service httpd start

3. Copy my-ca.crt in /var/www/html/certs

# cp /etc/pki/CA/my-ca.crt /var/www/html/certs/

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.