Difference between revisions of "Openssl"

From Bashlinux
Jump to: navigation, search
(OpenSSL)
(Redirected page to OpenSSL)
 
Line 1: Line 1:
  +
#REDIRECT [[OpenSSL]]
__NOTOC__
 
== How to create SSL certificates for server/client(s) environment ==
 
# Create openssl directory structure for MySQL
 
 
<pre><nowiki>
 
mkdir -p /etc/pki/openssl
 
mkdir -p /etc/pki/openssl/private
 
mkdir -p /etc/pki/openssl/newcerts
 
</nowiki></pre>
 
 
# Initialize Index database
 
 
<pre><nowiki>
 
touch /etc/pki/openssl/index.txt
 
</nowiki></pre>
 
 
# Create control serial number
 
 
<pre><nowiki>
 
date +%Y%m%d > /etc/pki/openssl/serial
 
</nowiki></pre>
 
 
# Copy default openssl configuration file
 
 
<pre><nowiki>
 
cp /etc/pki/tls/openssl.cnf /etc/pki/openssl/
 
</nowiki></pre>
 
 
# Change the default dir on the new configuration file
 
 
<pre><nowiki>
 
replace ../../CA /etc/pki/openssl -- /etc/pki/openssl/openssl.cnf
 
</nowiki></pre>
 
 
# Generate CA
 
 
<pre><nowiki>
 
openssl req -new -x509 -keyout /etc/pki/openssl/private/cakey.pem -out /etc/pki/openssl/cacert.pem -config /etc/pki/openssl.cnf
 
</nowiki></pre>
 
 
# Create Server REQ and KEY
 
 
<pre><nowiki>
 
openssl req -new -keyout /etc/pki/openssl/server-key.pem -out /etc/pki/openssl/server-req.pem -days 3600 -config /etc/pki/openssl/openssl.cnf
 
</nowiki></pre>
 
 
# Remove passphrase from KEY
 
 
<pre><nowiki>
 
openssl rsa -in /etc/pki/openssl/server-key.pem -out /etc/pki/openssl/server-key.pem
 
</nowiki></pre>
 
 
# Sign server cert
 
 
<pre><nowiki>
 
openssl ca -policy policy_anything -out /etc/pki/openssl/server-cert.pem -config /etc/pki/openssl/openssl.cnf -infiles /etc/pki/openssl/server-req.pem
 
</nowiki></pre>
 
 
# Create REQ and KEY for the client
 
 
<pre><nowiki>
 
openssl req -new -keyout /etc/pki/openssl/client-key.pem -out /etc/pki/openssl/client-req.pem -days 3600 -config /etc/pki/openssl/openssl.cnf
 
</nowiki></pre>
 
 
# Remove passphrase from the client KEY
 
 
<pre><nowiki>
 
openssl rsa -in /etc/pki/openssl/client-key.pem -out /etc/pki/openssl/client-key.pem
 
</nowiki></pre>
 
 
# Sign client cert
 
 
<pre><nowiki>
 
openssl ca -policy policy_anything -out /etc/pki/openssl/client-cert.pem -config /etc/pki/openssl/openssl.cnf -infiles /etc/pki/openssl/client-req.pem
 
</nowiki></pre>
 
 
 
== How to generate strong private key and CSR ==
 
In order to increase the security and generate a unique and unpredictable key we will provide the random data to OpenSSL.
 
 
==== RSA private key ====
 
# Create a folder and place 3 larger files
 
 
<pre><nowiki>
 
# mkdir -p /etc/pki/local
 
# cd /etc/pki/local
 
# tar zcvf logs.tgz /var/logs
 
# cp /boot/vmlinuz-2.6.18-92.1.6.el5 .
 
</nowiki></pre>
 
 
# Generate RSA private key
 
 
<pre><nowiki>
 
openssl genrsa -des3 -rand logs.tgz:vmlinuz-2.6.18-92.1.6.el5:/dev/random -out local.bashlinux.com.key 1024
 
</nowiki></pre>
 
 
# Patience, it will take a long, up to 10 minutes
 
# Enter the passphrase when prompts
 
# '''To remove passphrase''' ''if Apache, in order to avoid it asks for passphrase every time it starts''
 
 
<pre><nowiki>
 
openssl rsa -in local.bashlinux.com.key -out local.bashlinux.com.pem
 
</nowiki></pre>
 
 
* '''Generate Certificate Signing Request (CSR)'''
 
 
<pre><nowiki>
 
openssl req -new -key local.bashlinux.com.key -out local.bashlinux.com.csr
 
</nowiki></pre>
 
 
* '''To generate a Self-Signed certificate that is good for 1 year'''
 
 
<pre><nowiki>
 
# openssl x509 -req -days 360 -in local.bashlinux.com.csr -signkey local.bashlinux.com.key -out local.bashlinux.com.crt
 
</nowiki></pre>
 

Latest revision as of 00:06, 9 June 2015

Redirect to: