I will describe all necessary steps to create a own certificate service on Linux. Also which information You should prepare. Then, how to create the file structure and openSSL configuration file. То же самое по-русски
In my post “Digital certificates. Why we need them and what are they for?” I wrote what is a digital certificate and why one need them. Now we continue.
The easiest way to create own certificate service is to use openSSL program OS Linux in a command-line mode.
Theoretically, to create a Certificate Services, one should use a separate computer with a Linux operating system. Furthermore, this computer one should never connect to the Internet. And one should locate it in a separate armored room, where no one can not penetrate.
But practically, in my opinion, one can manage everything using an old PC with installed on it OS Linux. We turn it on when we need to create keys and certificates for anything. And then turn off, when we finish.
1. Preparation to create own certificate service
1. To create a certificate service You should prepare answers to the following questions:
- country 2 letter code
- state or province name
- locality name (city)
- organization (company) name
- number of day host sertificate is valid
In response to the last question, one can enter from 365 (one year) until 3650 (ten years). Probably, it depends on taste and the company’s security policies.
2. Create a good password for the private key certificate services. What is a good password and how to create it, I wrote in the post “What is ssh/sftp and what is it for?“. The password for the private key is an additional line of defense. If for any reason the private key file will be lost, without knowing the password someone will not be able to use it.
3. Start computer and the lunch terminal program (see. my post “A few words about Linux“). To create keys and certificate, program openSSL is needed, which is an mandatory part of any Linux distribution. In this post, all examples are valid for CentOs Linux (Red Hat Enterprise Linux).
4. Create a file structure of Certificate Services, which You can locate anywhere. To use Certificate Services You need several folders and files. Let us name the root certificate directory service folder rootCA, then we need folders:
If openSSL package is installed, (it must be installed). Already You should have such file structure somewhere on the disk. For example, for CentOS Linux rootCA folder is directory /etc/pki/tls. Check it (see. «Linux commands. The very short description“).
If you got the folder structure as in Fig. 1, then go to the next step.
Otherwise it is necessary to create the all folders and files.
#mkdir -m 0700 /etc/pki/tls /etc/pki/tls/certs /etc/pki/tls/crl /etc/pki/tls/private
#echo 01 >> /etc/pki/tls/serial
5. OpenSSL configuration file.
If openSSL package has been installed properly, the root Certificate Services folder should contain openSSL configuration file openssl.cnf. This file consists of several section. At the moment, we are interested in only two sections – section ca_default and req_distinguished_name section.
ca_default section defines the file structure of Certificate Services. In order to given in the post examples work, it should look like this.
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = /etc/pki/tls # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/certs # default place for new certs.
certificate = $dir/certs/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca.key # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
Please pay attention to the variables dir, certificate, private key. If they are different from this sample, correct the values using the editor vi (see my post “Text editor vi. The very short manual”). It is very important.
req_distinguished_name section defines values for the default user data (p. 1 of this article). If You need a lot of certificates, it is better to enter the answers to questions p. 1. in this section. It saves a lot of time and lets avoid errors.
If for some reason file openssl.cnf is missing, create it using text editor vi and copy both sections from here.
If You everything did correctly, You can now create certificate service.
I have described all necessary steps how to prepare to create a own certificate service on Linux – information, the file structure and configuration file openSSL.