Openssl: Difference between revisions

From Bashlinux
Jump to navigationJump to search
Content deleted Content added
Manpaz (talk | contribs)
bashlinux, Bureaucrats, Administrators, sysops
711 edits
No edit summary
 
Manpaz (talk | contribs)
bashlinux, Bureaucrats, Administrators, sysops
711 edits
Redirected page to OpenSSL
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
#REDIRECT [[OpenSSL]]
__NOTOC__
= OpenSSL =
= Create SSL Certificates for server/client(s) environment =
# Create openssl directory structure for MySQL
<pre><nowiki>
mkdir -p /etc/pki/openssl
mkdir -p /etc/pki/openssl/private
mkdir -p /etc/pki/openssl/newcerts
</nowiki></pre>

# Initialize Index database
<pre><nowiki>
touch /etc/pki/openssl/index.txt
</nowiki></pre>

# Create control serial number
<pre><nowiki>
date +%Y%m%d > /etc/pki/openssl/serial
</nowiki></pre>

# Copy default openssl configuration file
<pre><nowiki>
cp /etc/pki/tls/openssl.cnf /etc/pki/openssl/
</nowiki></pre>

# Change the default dir on the new configuration file
<pre><nowiki>
replace ../../CA /etc/pki/openssl -- /etc/pki/openssl/openssl.cnf
</nowiki></pre>

# Generate CA
<pre><nowiki>
openssl req -new -x509 -keyout /etc/pki/openssl/private/cakey.pem -out /etc/pki/openssl/cacert.pem -config /etc/pki/openssl.cnf
</nowiki></pre>

# Create Server REQ and KEY
<pre><nowiki>
openssl req -new -keyout /etc/pki/openssl/server-key.pem -out /etc/pki/openssl/server-req.pem -days 3600 -config /etc/pki/openssl/openssl.cnf
</nowiki></pre>

# Remove passphrase from KEY
<pre><nowiki>
openssl rsa -in /etc/pki/openssl/server-key.pem -out /etc/pki/openssl/server-key.pem
</nowiki></pre>

# Sign server cert
<pre><nowiki>
openssl ca -policy policy_anything -out /etc/pki/openssl/server-cert.pem -config /etc/pki/openssl/openssl.cnf -infiles /etc/pki/openssl/server-req.pem
</nowiki></pre>

# Create REQ and KEY for the client
<pre><nowiki>
openssl req -new -keyout /etc/pki/openssl/client-key.pem -out /etc/pki/openssl/client-req.pem -days 3600 -config /etc/pki/openssl/openssl.cnf
</nowiki></pre>

# Remove passphrase from the client KEY
<pre><nowiki>
openssl rsa -in /etc/pki/openssl/client-key.pem -out /etc/pki/openssl/client-key.pem
</nowiki></pre>

# Sign client cert
<pre><nowiki>
openssl ca -policy policy_anything -out /etc/pki/openssl/client-cert.pem -config /etc/pki/openssl/openssl.cnf -infiles /etc/pki/openssl/client-req.pem
</nowiki></pre>


== Generating Strong Private key and CSR ==
In order to increase the security and generate a unique and unpredictable key we will provide the random data to OpenSSL.

==== RSA private key ====
# Create a folder and place 3 larger files
<pre><nowiki>
# mkdir -p /etc/pki/local
# cd /etc/pki/local
# tar zcvf logs.tgz /var/logs
# cp /boot/vmlinuz-2.6.18-92.1.6.el5 .
</nowiki></pre>

# Generate RSA private key
<pre><nowiki>
openssl genrsa -des3 -rand logs.tgz:vmlinuz-2.6.18-92.1.6.el5:/dev/random -out local.bashlinux.com.key 1024
</nowiki></pre>

# Patience, it will take a long, up to 10 minutes
# Enter the passphrase when prompts
# '''To remove passphrase'''if Apache, in order to avoid it asks for passphrase every time it starts)''
<pre><nowiki>
openssl rsa -in local.bashlinux.com.key -out local.bashlinux.com.pem
</nowiki></pre>

* '''Generate Certificate Signing Request (CSR)'''
<pre><nowiki>
openssl req -new -key local.bashlinux.com.key -out local.bashlinux.com.csr
</nowiki></pre>

* '''To generate a Self-Signed certificate that is good for 1 year'''
<pre><nowiki>
# openssl x509 -req -days 360 -in local.bashlinux.com.csr -signkey local.bashlinux.com.key -out local.bashlinux.com.crt
</nowiki></pre>

Latest revision as of 00:06, 9 June 2015

Redirect to:

Retrieved from "https://wiki.bashlinux.com/index.php?title=Openssl&oldid=932"