Ad

Wednesday, July 30, 2014

Setup basic PKI

Here are a few simple steps to setup a basic PKI; this will involve creating a root CA and then signing some certificates with the root CA:

 Update your ssl configuration as per this link:
https://jamielinux.com/articles/2013/08/act-as-your-own-certificate-authority/

Create the Root CA

 Create a root CA private key:

 openssl genrsa -aes256 -out ca.key.pem 4096

 Enter the pass phrase to protect the file.

 Create the root CA certificate:

 openssl req -new -x509 -days 365 -key ca.key.pem -out ca.cert.pem

 Enter the pass phrase you entered when creating the root private key.
Enter the values for prompted questions for the certificate.

 Create a server certificate

 Generate a server private key:

openssl genrsa -aes256 -out my.test.cert.com.key.pem 4096

Enter the pass phrase to protect the file.

Now we can create a certificate signing request (CSR) to allow us to sign the server certificate with the root CA (you can also do this with an intermediate CA)

 openssl req -new -key my.test.cert.com.key.pem -out sign-request.csr

 Enter the pass phrase you entered when creating the root private key.
Enter the values for prompted questions for the certificate.

 Now you can sign a new client certificate (using sha1 message digest) for your server with the CSR:

 openssl ca -keyfile ca.key.pem -cert ca.cert.pem -in sign-request.csr -out my.test.cert.com.pem -md sha1

 Enter the pass phrase you entered when creating the root private key.

 Create a client certificate

 Generate a client private key:

openssl genrsa -aes256 -out client.key.pem 4096

Enter the pass phrase to protect the file.

Now we can create a certificate signing request (CSR) to allow us to sign the client certificate with the root CA (you can also do this with an intermediate CA)

openssl req -new -key client.key.pem -out client-sign-request.csr

Enter the pass phrase you entered when creating the root private key.
Enter the values for prompted questions for the certificate.

Now you can sign a new client certificate (using sha1 message digest) for your server with the CSR:

openssl ca -keyfile ca.key.pem -cert ca.cert.pem -in client-sign-request.csr -out client.cert.pem -md sha1

Enter the pass phrase you entered when creating the root private key.

 References:

 https://jamielinux.com/articles/2013/08/act-as-your-own-certificate-authority/
https://jamielinux.com/articles/2013/08/create-and-sign-ssl-certificates-certificate-authority/
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)