SSL Certification authority
In cryptography, a certificate authority, or certification authority, (CA) is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or assertions made by the private key that corresponds to the public key that is certified. In this model of trust relationships, a CA is a trusted third party that is trusted by both the subject (owner) of the certificate and the party relying upon the certificate. CAs are characteristic of many public key infrastructure (PKI) schemes.1
OpenSSL must be installed in order to create/manage certificates.
In the folder list I’m using ssl-name where name represents the entity that owns the CA.
Create folder structure
Change default values in openssl.cnf
cp /etc/pki/tls/openssl.cnf /etc/ssl-name
In the following zones change the values:
[ CA_default ]
dir = /etc/ssl-name
certificate = $dir/certs/ca.crt
private_key = $dir/private/ca.key
[ req_distinguished_name ]
countryName_default = YOUR COUNTRY 2CHARS
stateOrProvinceName_default = YOUR PROVINCE NAME
localityName_default = YOUR LOCALITY NAME
0.organizationName_default = YOUR ORGANIZATION NAME
organizationalUnitName_default = YOUR ORGANIZATIONAL UNIT NAME
challengePassword_default = CHALLENGE PASSWORD
unstructuredName_default = SIMPLE NAMEFOR YOUR ORG
Initialize files with default values:
echo '01' > /etc/ssl-name/serial
echo '00' > /etc/ssl-name/crlnumber
Generate CA certificate:
Generate a Certificate Request:
Be sure to type your service name correctly under the Common Name (CN) field (eg. www.yourservice.com)
Sign the Certificate Request
You can sign the server certificate request by issuing the following command:
”-policy policy_anything” it means that the fields about the Country, State or City is not required to match those of your CA’s certificate (see /etc/ssl-name/openssl.cnf).
Two files were created:
- /etc/ssl-name/certs/server.crt – Server certificate.
- /etc/ssl-name/newcerts/01.pem – Same certificate, but with the certificate serial number as a filename.
You can now delete your certificate request file
Verify Server Certificate file
To check certificate basic info issue the following command:
To check certificate “useful” info issue the following command:
To check certificate is still valid to use on a sslserver, issue the following command:
Revoke Server Certificate
To revoke the server certificate, issue the following command:
After each revocation you must generate a new CRL (Certificate Revokation List):
Be sure distribute the CRL file to those who trust your CA (eg. publish it online)
Server Certificate file misc.
To put the server certificate and key on the same file, issue the following command:
To convert the server certificate to DER format, issue the following command:
Can I create my own S/MIME certificate for email encryption?
Issue Your Own Self-Signed S/MIME Certs with OpenSSL
How do I create a valid email certificate for Outlook S/MIME with openssl?
How To Encrypt Mails With SSL Certificates (S/MIME)
Howto: Make Your Own Cert With OpenSSL