Difference between revisions of "Openssl"
From Bashlinux
(→OpenSSL) |
(Redirected page to OpenSSL) |
||
Line 1: | Line 1: | ||
+ | #REDIRECT [[OpenSSL]] |
||
− | __NOTOC__ |
||
− | == How to create SSL certificates for server/client(s) environment == |
||
− | # Create openssl directory structure for MySQL |
||
− | |||
− | <pre><nowiki> |
||
− | mkdir -p /etc/pki/openssl |
||
− | mkdir -p /etc/pki/openssl/private |
||
− | mkdir -p /etc/pki/openssl/newcerts |
||
− | </nowiki></pre> |
||
− | |||
− | # Initialize Index database |
||
− | |||
− | <pre><nowiki> |
||
− | touch /etc/pki/openssl/index.txt |
||
− | </nowiki></pre> |
||
− | |||
− | # Create control serial number |
||
− | |||
− | <pre><nowiki> |
||
− | date +%Y%m%d > /etc/pki/openssl/serial |
||
− | </nowiki></pre> |
||
− | |||
− | # Copy default openssl configuration file |
||
− | |||
− | <pre><nowiki> |
||
− | cp /etc/pki/tls/openssl.cnf /etc/pki/openssl/ |
||
− | </nowiki></pre> |
||
− | |||
− | # Change the default dir on the new configuration file |
||
− | |||
− | <pre><nowiki> |
||
− | replace ../../CA /etc/pki/openssl -- /etc/pki/openssl/openssl.cnf |
||
− | </nowiki></pre> |
||
− | |||
− | # Generate CA |
||
− | |||
− | <pre><nowiki> |
||
− | openssl req -new -x509 -keyout /etc/pki/openssl/private/cakey.pem -out /etc/pki/openssl/cacert.pem -config /etc/pki/openssl.cnf |
||
− | </nowiki></pre> |
||
− | |||
− | # Create Server REQ and KEY |
||
− | |||
− | <pre><nowiki> |
||
− | openssl req -new -keyout /etc/pki/openssl/server-key.pem -out /etc/pki/openssl/server-req.pem -days 3600 -config /etc/pki/openssl/openssl.cnf |
||
− | </nowiki></pre> |
||
− | |||
− | # Remove passphrase from KEY |
||
− | |||
− | <pre><nowiki> |
||
− | openssl rsa -in /etc/pki/openssl/server-key.pem -out /etc/pki/openssl/server-key.pem |
||
− | </nowiki></pre> |
||
− | |||
− | # Sign server cert |
||
− | |||
− | <pre><nowiki> |
||
− | openssl ca -policy policy_anything -out /etc/pki/openssl/server-cert.pem -config /etc/pki/openssl/openssl.cnf -infiles /etc/pki/openssl/server-req.pem |
||
− | </nowiki></pre> |
||
− | |||
− | # Create REQ and KEY for the client |
||
− | |||
− | <pre><nowiki> |
||
− | openssl req -new -keyout /etc/pki/openssl/client-key.pem -out /etc/pki/openssl/client-req.pem -days 3600 -config /etc/pki/openssl/openssl.cnf |
||
− | </nowiki></pre> |
||
− | |||
− | # Remove passphrase from the client KEY |
||
− | |||
− | <pre><nowiki> |
||
− | openssl rsa -in /etc/pki/openssl/client-key.pem -out /etc/pki/openssl/client-key.pem |
||
− | </nowiki></pre> |
||
− | |||
− | # Sign client cert |
||
− | |||
− | <pre><nowiki> |
||
− | openssl ca -policy policy_anything -out /etc/pki/openssl/client-cert.pem -config /etc/pki/openssl/openssl.cnf -infiles /etc/pki/openssl/client-req.pem |
||
− | </nowiki></pre> |
||
− | |||
− | |||
− | == How to generate strong private key and CSR == |
||
− | In order to increase the security and generate a unique and unpredictable key we will provide the random data to OpenSSL. |
||
− | |||
− | ==== RSA private key ==== |
||
− | # Create a folder and place 3 larger files |
||
− | |||
− | <pre><nowiki> |
||
− | # mkdir -p /etc/pki/local |
||
− | # cd /etc/pki/local |
||
− | # tar zcvf logs.tgz /var/logs |
||
− | # cp /boot/vmlinuz-2.6.18-92.1.6.el5 . |
||
− | </nowiki></pre> |
||
− | |||
− | # Generate RSA private key |
||
− | |||
− | <pre><nowiki> |
||
− | openssl genrsa -des3 -rand logs.tgz:vmlinuz-2.6.18-92.1.6.el5:/dev/random -out local.bashlinux.com.key 1024 |
||
− | </nowiki></pre> |
||
− | |||
− | # Patience, it will take a long, up to 10 minutes |
||
− | # Enter the passphrase when prompts |
||
− | # '''To remove passphrase''' ''if Apache, in order to avoid it asks for passphrase every time it starts'' |
||
− | |||
− | <pre><nowiki> |
||
− | openssl rsa -in local.bashlinux.com.key -out local.bashlinux.com.pem |
||
− | </nowiki></pre> |
||
− | |||
− | * '''Generate Certificate Signing Request (CSR)''' |
||
− | |||
− | <pre><nowiki> |
||
− | openssl req -new -key local.bashlinux.com.key -out local.bashlinux.com.csr |
||
− | </nowiki></pre> |
||
− | |||
− | * '''To generate a Self-Signed certificate that is good for 1 year''' |
||
− | |||
− | <pre><nowiki> |
||
− | # openssl x509 -req -days 360 -in local.bashlinux.com.csr -signkey local.bashlinux.com.key -out local.bashlinux.com.crt |
||
− | </nowiki></pre> |
Latest revision as of 00:06, 9 June 2015
Redirect to: