Difference between revisions of "Creating Certificates"
(Add options for creating multi-host certificates.) |
(Add instructions for adding the new root CA certificate.) |
||
| (One intermediate revision by the same user not shown) | |||
| Line 36: | Line 36: | ||
Enter the passphrase and the private key is stored without a passphrase in <code>newkey.np.pem</code>. | Enter the passphrase and the private key is stored without a passphrase in <code>newkey.np.pem</code>. | ||
| + | |||
| + | = Create a New Root CA = | ||
| + | |||
| + | Every now and then, a new root CA must be created (because they usually only last that long). This should be executed from the <tt>demoCA</tt> directory. | ||
| + | |||
| + | $ openssl req -config /etc/ssl/openssl.cnf -new -x509 -keyout private/cakey.pem -out cacert.pem -days 3652 | ||
| + | |||
| + | A new CA will be created, valid for the next 10 years. After this, ''all server and client certificates have to be regenerated!'' | ||
| + | |||
| + | == Import the New Root CA == | ||
| + | |||
| + | To be able to use the new root CA it needs to be imported using <tt>certutil</tt> (from the <tt>libnss3-tools</tt> package). | ||
| + | |||
| + | $ certutil -d sql:$HOME/.pki/nssdb -A -t 'C,,' -n ''nickname for the CA'' -i cacert.pem | ||
| + | |||
| + | If an existing certificate can not be updated it needs to be deleted beforehand: | ||
| + | |||
| + | $ certutil -d sql:$HOME/.pki/nssdb -D -n ''nickname for the CA'' | ||
Latest revision as of 09:10, 14 August 2012
To secure the communication between a server and its clients SSL certificates are used, both for clients and the server. These certificates are usually valid for a certain amount of time only and thus need to be recreated every now and then.
Contents
Create a New Key
In order to create a new certificate, a key must be created first.
$ CA.sh -newreq
You have to enter a password for the key that is created. Remember that passphrase, it is necessary later in case you want to remove the passphrase from the key file in order to allow unattended startups for your client services.
The new key is saved as newkey.pem and a request for a certificate signature for that key (newreq.pem) is created.
Generate List of Alternate Host Names
If you want to use the certificate for more than one host name you have to enter all host names into a second configuration file.
$ echo 'subjectAltName=DNS:hostname.de,DNS:*.hostname.de,DNS:hostname.org,DNS:*.hostname.org' > newkey.cnf
Sign the Certificate Signature Request
The certificate signature request needs to be processed by the CA so that a certificate signed by the CA is created.
$ SSLEAY_CONFIG="-extfile newkey.cnf" CA.sh -sign
You need to enter the passphrase of your CA for this step. After you have confirmed that you really want to sign that certificate, the signed certificate ends up in newcert.pem.
Basically this is all that is required for your services to operate cleanly and securely.
Remove the Passphrase from the Private Key File
In case you want to use the generated private key as part of an unattended startup procedure (e.g. your VPN client at your home machine) you need to remove the passphrase from the private key file.
$ openssl rsa -in newkey.pem -out newkey.np.pem
Enter the passphrase and the private key is stored without a passphrase in newkey.np.pem.
Create a New Root CA
Every now and then, a new root CA must be created (because they usually only last that long). This should be executed from the demoCA directory.
$ openssl req -config /etc/ssl/openssl.cnf -new -x509 -keyout private/cakey.pem -out cacert.pem -days 3652
A new CA will be created, valid for the next 10 years. After this, all server and client certificates have to be regenerated!
Import the New Root CA
To be able to use the new root CA it needs to be imported using certutil (from the libnss3-tools package).
$ certutil -d sql:$HOME/.pki/nssdb -A -t 'C,,' -n nickname for the CA -i cacert.pem
If an existing certificate can not be updated it needs to be deleted beforehand:
$ certutil -d sql:$HOME/.pki/nssdb -D -n nickname for the CA
