I will describe how to create certificate service. Certificate service can be used, for example, to test the servers, services, or employees authentication. After reading these articles, one can have running certificate service, as well as all required digital keys and certificates in 10 minutes. То же по-русски
Now we see how to create and use a simplest single-level Certificate Service.
In my post “How to create a certificate service. Preparation” I have described all necessary steps to prepare to create certificate service. All necessary information about OS Linux one can read in the post “A few words about Linux” and “Linux commands. The very short description“.
Become superuser root and move to the certificate services root folder.
Step-by-step create Certificate Service (CA)
1. Certificate service private key creation (Fig. 1).
openssl genrsa -des3 -out private/ca.key 2048
The command will ask to enter prepared password twice. It generates a private (secret) 2048 bit key ca.key in the folder private.
chmod 0400 private/ca.key
Makes it read-only, and only for the superuser root.
2. Self-signed Certificate Services certificate creation (Fig. 2)
openssl req -new -x509 -days 3650 -key private/ca.key -out certs/ca.crt -config openssl.cnf
To see what we got:
openssl x509 -noout -text -in certs/ca.crt
3. Creating a private key and a certificate request (Fig. 3). The private key and certificate request one can create for the server (service, virtual server) or user. There are some differences between them. For a user, in the Common Name field one has to specify the user name in Latin letters (not login. Example:! Jong Dow) and a password. So that no one except the owner, who knows the password, could not use the key. For a server in the Common Name field one has to specify the fully qualified domain name of the server (virtual server). Password usually is not used. This is because administrator will not have to enter it each time the server or service is started.
For a server
openssl req -newkey rsa:2048 -keyout private/test2.example.com.key -nodes -out test2.example.com.csr
It generates a secret 2048 bit key test2.example.com.key in the folder private and a certificate request test2.example.com.csr in the current folder. The command will ask to answer for the questions about key owner (See. Fig. 3).
And for a user:
openssl req -newkey rsa:1024 -keyout private/JohnDow.key -out JohnDow.csr
It generates a secret 1024 bit key JohnDow.key in the folder private and a certificate request JohnDow.csr in the current folder. The command will ask to enter prepared password twice and then to answer for the questions about key owner (See. Fig. 4).
4. Signing requests by CA private key (Fig. 5).
openssl ca -config openssl.cnf -out certs/test2.example.com.crt -infiles test2.example.com.csr
The command will ask to enter certificate service private (secret) key, check the certificate data. And, if everything is correct, accept twice (pressing “y”). As a result, You can find server’s certificate test2.example.com.crt in the folder certs. There is no difference in signing the request for the certificate for a user.
5. Certificate signing request is no longer needed, one can delete it.
Now we have to copy just created private (secret) key and signed certificate for the user (server), as well as the self-signed Certificate Service certificate certs/ca.crt on a USB stick for further use. Please remember, that You should never give to anyone the Certificate Service private key. And do not forget it’s password.
It is done!
I just have described here how to create certificate service and get all necessary keys and certificates in 10 minutes.