/etc/pki certificate questions
Michael Cronenworth
mike at cchtml.com
Tue Feb 16 17:39:45 UTC 2010
Daniel B. Thurman wrote:
> Does anyone recommend a very good site for dealing with the
> above issues?
A site is not really required. It can be covered in one email.
I suggest creating a CA for yourself and then creating certs against
that CA. It will make updating your certs easier (unless you just want
to use 10+ year limits on all of your certs).
-Create CA
1. Make a ~/sslcerts, or whatever name you wish, directory.
2. Copy your /etc/pki/tls/openssl.cnf to your local directory. Make
changes to the new copy to match your environment.
3. Create your CA inside of your local directory:
mkdir certs private
touch index.txt
echo 01 > serial
openssl genrsa -out private/local_ca_cert.key 2048 \
openssl req -config openssl.cnf -new -x509 -days 3650 \
-key private/local_ca_cert.key -out local_ca_cert.crt -extensions v3_ca
(Change 3650 to however long you want your CA to last)
-Create user certs
Create the user certs from inside the ~/sslcerts directory:
openssl genrsa -out certs/${user}.key 2048
openssl req -config openssl.cnf -new -nodes -out certs/${user}.csr \
-key certs/${user}.key
openssl ca -config openssl.cnf -keyfile private/local_ca_cert.key \
-cert ${caname}_ca_cert.crt -out certs/${user}.crt -outdir \
certs -infiles certs/${user}.csr
Rinse and repeat for each $user. Copy the CA public key and user
private/public keys to a directory of your choice (possibly /etc/pki/)
to allow dovecot, httpd, or whatever daemon you wish to deploy TLS to
have access to them.
More information about the users
mailing list