Openssl

From Bashlinux
Revision as of 07:47, 28 February 2015 by Manpaz (talk | contribs) (OpenSSL)
Jump to: navigation, search

How to create SSL certificates for server/client(s) environment

  1. Create openssl directory structure for MySQL
 mkdir -p /etc/pki/openssl
 mkdir -p /etc/pki/openssl/private
 mkdir -p /etc/pki/openssl/newcerts
  1. Initialize Index database
 touch /etc/pki/openssl/index.txt
  1. Create control serial number
 date +%Y%m%d > /etc/pki/openssl/serial
  1. Copy default openssl configuration file
 cp /etc/pki/tls/openssl.cnf /etc/pki/openssl/
  1. Change the default dir on the new configuration file
 replace ../../CA /etc/pki/openssl  -- /etc/pki/openssl/openssl.cnf
  1. Generate CA
 openssl req -new -x509 -keyout /etc/pki/openssl/private/cakey.pem -out /etc/pki/openssl/cacert.pem -config /etc/pki/openssl.cnf
  1. Create Server REQ and KEY
 openssl req -new -keyout /etc/pki/openssl/server-key.pem -out /etc/pki/openssl/server-req.pem -days 3600 -config /etc/pki/openssl/openssl.cnf
  1. Remove passphrase from KEY
 openssl rsa -in /etc/pki/openssl/server-key.pem -out /etc/pki/openssl/server-key.pem
  1. Sign server cert
 openssl ca -policy policy_anything -out /etc/pki/openssl/server-cert.pem -config /etc/pki/openssl/openssl.cnf -infiles /etc/pki/openssl/server-req.pem
  1. Create REQ and KEY for the client
 openssl req -new -keyout /etc/pki/openssl/client-key.pem -out /etc/pki/openssl/client-req.pem -days 3600 -config /etc/pki/openssl/openssl.cnf
  1. Remove passphrase from the client KEY
 openssl rsa -in /etc/pki/openssl/client-key.pem  -out /etc/pki/openssl/client-key.pem
  1. Sign client cert
 openssl ca -policy policy_anything -out /etc/pki/openssl/client-cert.pem -config /etc/pki/openssl/openssl.cnf -infiles /etc/pki/openssl/client-req.pem


How to generate strong private key and CSR

In order to increase the security and generate a unique and unpredictable key we will provide the random data to OpenSSL.

RSA private key

  1. Create a folder and place 3 larger files
 # mkdir -p /etc/pki/local
 # cd /etc/pki/local
 # tar zcvf logs.tgz /var/logs
 # cp /boot/vmlinuz-2.6.18-92.1.6.el5 .
  1. Generate RSA private key
 openssl genrsa -des3 -rand logs.tgz:vmlinuz-2.6.18-92.1.6.el5:/dev/random -out local.bashlinux.com.key 1024
  1. Patience, it will take a long, up to 10 minutes
  2. Enter the passphrase when prompts
  3. To remove passphrase if Apache, in order to avoid it asks for passphrase every time it starts
 openssl rsa -in local.bashlinux.com.key -out local.bashlinux.com.pem
  • Generate Certificate Signing Request (CSR)
 openssl req -new -key local.bashlinux.com.key -out local.bashlinux.com.csr
  • To generate a Self-Signed certificate that is good for 1 year
 # openssl x509 -req -days 360 -in local.bashlinux.com.csr -signkey local.bashlinux.com.key -out local.bashlinux.com.crt
Retrieved from "http://wiki.bashlinux.com/index.php?title=Openssl&oldid=640"