Warning: You are not logged in. Your IP address will be recorded in this page's edit history.
Project is current:
People participating:
Jaroslov
Locations:
Whitespace
Events:
Short description of the project:
0x20 Certificate Authority CA
Free text:
= 0x20 Certificate Authority = * CA with OpenSSL ** all flat files in 1 directory ** can easily be stored/transported on an encrypted filesystem * Used for [[OpenVPN]] authentication == openssl.cnf == Check the openssl.cnf file with the 0x20 specific values: * root ca is valid for 15 years * certificates are valid for 5 years * DN: C=BE, ST=Ghent, L=Whitespace, O=0x20, CN=0x20 root ca * nsCaRevocationUrl = http://www.0x20.be/ca-0x20-crl.pem * extendedKeyUsage=serverAuth (server certs) * extendedKeyUsage=clientAuth (client certs) == Create a CA == * based on http://www.freebsdmadeeasy.com/tutorials/freebsd/create-a-ca-with-openssl.php <pre> $ openssl req -new -x509 -days 5475 -newkey rsa:4096 -extensions v3_ca -keyout \ private/ca-0x20-key.pem -out ca-0x20-cert.pem -config ./openssl.cnf </pre> == Sign server cert == * Change openssl.cnf to server settings: <pre> $ vi ./openssl.cnf nsCertType = server extendedKeyUsage=serverAuth </pre> * If needed create the key and the csr (certificate signing request): <pre> $ openssl genrsa -aes256 -out 0x20-servername.key 2048 $ openssl req -new -key 0x20-servername.key -nodes -out 0x20-servername.csr </pre> * Sign the certificate: <pre> $ openssl ca -in 0x20-servername.csr -cert ca-0x20-cert.pem -keyfile \ private/ca-0x20-key.pem -out 0x20-servername.cert -config ./openssl.cnf </pre> * check index.txt (= the CA db) == Sign client cert == * Change openssl.cnf to client settings: <pre> $ vi ./openssl.cnf nsCertType = client, email extendedKeyUsage=clientAuth </pre> * Sign the certificate: <pre> $ openssl ca -in 0x20-client.csr -cert ca-0x20-cert.pem -keyfile \ private/ca-0x20-key.pem -out 0x20-client.cert -config ./openssl.cnf </pre> == Create a pkcs12 == <pre> $ openssl pkcs12 -export -in jaroslov.cert -inkey jaroslov.key -certfile ca.pem -name "jaroslov" -out jaroslov.p12 </pre> == Create a CRL == <pre> $ openssl ca -gencrl -out crl/crl.pem -config ./openssl.cnf </pre> * (first time you need to populate the crlnumber file: $ echo "01" > crlnumber) == Revoke a certificate == * Check the certificates in newcerts/ * Revoke the needed one: <pre> $ openssl ca -revoke newcerts/1000.pem -config ./openssl.cnf </pre> * distribute the crl where needed.
Summary:
This is a minor edit Watch this page
Cancel
