The Procedure for Issuing Certificates

1. Create a request

The party that wants a certificate creates a certificate request.

This can be done with OpenSSL, by doing: openssl req -new -config ~erl/lewin.nu-CA/openssl.cnf -out cert.csr

You will be asked for the information in the certificate.

This will result in two files, cert.csr which you send to the certificate authority, and one, privkey.pem, which contains your secret private key, which should not be sent or shown to anyone.

The private key will be encrypted with a pass-phrase, unless you specify the -nodes option to openssl.

Send the cert.csr to the CA.

2. The CA signs the certificate

The CA does the following to sign the certificate:

openssl ca sign -config openssl.cnf -in cert.csr -out cert.pem

Then send cert.pem to the new owner of the certificate.

Displaying a certificate request

openssl req -in /etc/mail/certs/SendmailCertReq.pem -text -noout

Certificates used

The IMAP service has a certificate stored in /var/imap/server.pem

Sendmail has certificates in /etc/mail/certs.

The Lewin.nu certificate authority

Here is the certificate for the lewin.nu certificate authority. You might want to configure your OS/mail reader/web browser to trust it.

To Create a New Certificate Authority

Set up a directory and configuration

Create a directory to house the new certificate authority

It must have subdirectories certs, crl, newcerts, private. Also create a text file called "serial" containing "01", and an empty file called index.txt.

Edit /etc/openssl.cnf with settings for the new CA.

Create the self-signed certificate

Execute the following command in the CA's directory. You will be asked for info in the CA's certificate, and a passcode to protect the certificate authority's key.

openssl req -new -x509 -keyout private/cakey.pem -out certs/cacert.pem

Install the CA key in the web server (if relevant)

Copy the certs/cacert.pem file to /etc/httpd/conf/ssl.crt/<domain>.ssl.crt

Configure the virtual server in httpd.conf with the SSLCertificateFile directive to point at this file

Create a server certificate

Use the following command (for a certificate valid for one year).

ca-name is the name of the Certificate Authority used in /etc/openssl.cnf

Don't do this in the CA directory

openssl req -nodes -new -keyout newkey.pem -out newreq.pem -days 360

The certificate requset will be stored in the newreq.pem file. The private key will be in newkey.pem. Make sure to keep the private key secret /chmod newkey.pem go-rw.

Sign the certificate request

Use the following command. You can use the -policy policy_anthing if you want to sign the certificate despite missing fields

openssl ca -name phogle.com -out newcert.pem -infiles newreq.pem

As root, copy the key to the web server key directory (cp newkey.pem /etc/httpd/conf/ssl.key/<domain;gt;.key)
Back to System Information