In order to run a secure (SSL/TLS encrypted) service, you have to have a private key and a certificate for the server. For Intranet or special-purpose uses, you can be your own Certificate Authority (CA). This is accomplished with standard OpenSSL tools.

First, we will make a new directory for working with the certificates and keys:

[root]# mkdir /root/CA
[root]# chmod 0700 /root/CA
[root]# cd /root/CA

Now, we will make a private CA key and a private CA X.509 certificate:

[root]# openssl genrsa -des3 -out my-ca.key 2048
Generating RSA private key, 2048 bit long modulus
.....................................................+++
...................................................+++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:

[root]# openssl req -new -x509 -days 3650 -key my-ca.key -out my-ca.crt
Using configuration from /usr/share/ssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Kentucky
Locality Name (eg, city) [Newbury]:Fayette County
Organization Name (eg, company) [My Company Ltd]:VanEmery.Com
Organizational Unit Name (eg, section) []:Certificate Authority
Common Name (eg, your name or your server's hostname) []:VanEmery.Com CA
Email Address []:certmaster@vanemery.com

The first OpenSSL command makes the key. The second command makes the X.509 certificate with a 10-year lifetime.

This command lets you view the completed certificate:


[root]# openssl x509 -in my-ca.crt -text -noout


Now that you are done, please read and heed the following:

Caution!

Now that you are finished, you need to make backups of the certificates and keys. You can and should back this data up to CDs, floppies, and paper. Make sure that you also record the key's password in a safe place. The certs, keys, and passwords should then be locked up in a safe place.








| Home | Protocols | TLS |