Basic Security Certificate Setup
Basic certificate authority and security certificate creation with built-in OpenSSL CA tools.
- TERMINOLOGY AND CONVENTIONS
- CREATE CERTIFICATE AUTHORITY
- CREATE SERVER AND CLIENT CERTIFICATES
TERMINOLOGY AND CONVENTIONS
A certificate authority is an entity that issues digital security certificates.
CREATE CERTIFICATE AUTHORITY
WORKING WITH openssl.cnf
The openssl.cnf file provides configuration information to the openssl utility. On a new Symas OpenLDAP installation, the file is named /opt/symas/ssl/openssl.cnf.default. The file must be renamed or copied to a file named /opt/symas/ssl/openssl.cnf.
The configuration contains default paths and filenames, the length of time a certificate is valid, what hashing algorithm to use for the certificate and the default values for certificate information like organization, organizational unit, country name, etc. and many other settings. When creating a CA for issuing self-signed certificates, most information in openssl.cnf should remain as-is. There are some items where default values may be added or changed and makes it easier to keep certificate information more consistent:
|default_days||The default_days variable sets the number of days that a certificate is valid. The default is 365 and can be adjusted upward or downward to suit your needs.|
|countryName*||The name of the country where the certificate is used or issued.|
|stateOrProvinceName*||The name of the state or province where the certificate is used or issued.|
|localityName*||The name of the city where the certificate is used or issued.|
|0.organizationName*||The name of the company or organization that the certificate is for.|
|organizationalUnitName*||The name of the organizational unit that the certificate is for.|
|commonName**||While the description for the commonName says “(eg. YOUR name)” it is best to use the fully qualified host names. When creating the CA, use the fully qualified host name of the machine that the CA is being created on. When creating server and client certificates, use the fully qualified host name for the host that the certificate is going to be installed on.|
|emailAddress*||An email address, usually for the user or group that will be the administrator for the CA.|
* Item may have a default value set by adding a new line that starts with the item name appended with “_default” and then the desired value.
TODO - sample openssl.cnf file and link Example openssl.cnf file link. [Greg Noe](https://confluence.symas.com/display/~gnoe)
CREATE THE CA
First you’ll need to run the CA.sh script to make sure all directories are created.
Next, make a new CA request.
/opt/symas/ssl> ../bin/CA.sh -newca
Respond to all the prompts. If you have set defaults for fields in openssl.cnf and see the value in brackets at the prompt, press enter to accept it or enter a new value to override it. Make sure to back up the passphrase you create. Please note that the challengePassword and unstructuredName fields are optional.
Your CA is now set up and the CA public key is saved to /opt/symas/ssl/cacert.pem.
CREATE SERVER AND CLIENT CERTIFICATES
GENERATE A CERTIFICATE REQUEST
Create Certificate Request
/opt/symas/ssl> ../bin/CA.sh -newreq -nodes
SIGN THE CERTIFICATE
Sign a Certificate
/opt/symas/ssl> ../bin/CA.sh -signreq