OpenSSL Project

The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.

Certificate authority

In cryptography, a certificate authority or certification authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made by the private key that corresponds to the certified public key. In this model of trust relationships, a CA is a trusted third party – trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. Many[quantify] public-key infrastructure (PKI) schemes feature CAs.

How to configure OpenSSL Own Certificate Authority on Linux.

In the below mentioned example, the /etc/pki/CA directory will be used to store all keys and certificates. The index.txt and serial files act as a kind of flat file database to help you keep track of all your keys and certificates.

Note Point: Ensure that your OpenSSL configuration file (/etc/pki/tls/openssl.cnf) specifies dir=/etc/pki/CA within the [ CA_default ] section.

[root@server101 ~]# cd /etc/pki/CA/
[root@server101 CA]# mkdir {certs,crl,newcerts} -p
[root@server101 CA]# ls
certs  crl  newcerts  private
[root@server101 CA]# touch index.txt
[root@server101 CA]# echo "01" > serial
[root@server101 CA]# echo "01" > crlnumber
[root@server101 CA]# cp -rf /etc/pki/tls/openssl.cnf

Required Modification in the openssl.cnf

[root@server101 CA]# cat  openssl.cnf | grep "#Vashist"
dir        = /etc/pki/CA        # Where everything is kept #Vashist
#dir        = ../../CA        # Where everything is kept  Default Value #Vashist
certificate    = $dir/ca.crt       # The CA certificate  #Vashist
#certificate    = $dir/cacert.pem     # The CA certificate Default Value #Vashist
#private_key    = $dir/private/cakey.pem# The private key Default Value #Vashist
private_key    = $dir/private/ca.key   # The private key #Vashist
[root@server101 CA]# chmod 0600 openssl.cnf

Now generate your own CA certificate & respective key.

[root@server101 CA]# openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout private/ca.key -out certs/ca.crt -days 3650
Generating a 1024 bit RSA private key
writing new private key to 'private/ca.key'
Enter PEM pass phrase: secretPassword
Verifying - Enter PEM pass phrase: secretPassword
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]:IN
State or Province Name (full name) [Berkshire]:Delhi     
Locality Name (eg, city) [Newbury]:Vashali
Organization Name (eg, company) [My Company Ltd]:Plentree Enterprise Ltd
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:Amit Vashist
Email Address []
[root@server101 CA]#



Now you are good to go..!!!

Happy Learning 🙂 🙂



About Amit Vashist

Amit Vashist is someone who brings with him a treasure full of experience of over 8 years in open source technologies. When it comes to virtualization he has single handedly managed end-to-end migration projects in KVM and Xen that involved right from sizing the systems to P2V of existing physical servers. He understands what can go wrong in virtualized world and how to take care of it. He also has root level knowledge on Red Hat platforms and has commissioned & Lamp; Provides Corporate Training over Red Hat HA clusters. Now days Supporting Telecom Giant Billing & Support system, gaining experience on JBoss, Splunk, SQL, Nagios, Apache & Fuse ..etc.
This entry was posted in Linux, OpenSSL and tagged , , , , , , , . Bookmark the permalink.

Please share your valuable suggestions/comments..!!!

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s