fluxcoil wiki

Howtos and notes

User Tools

Site Tools

Sidebar

snippets:linux_quickshotsetups:certificate_authority

Table of Contents

What?

Creating a certificate authority. Nowadays, you already need it for testing an https webserver: create the CA, then a cert for the https service, and sign that cert. Import the CA cert into the browser, then access the https service.

CA generation with nss

This is the default on Fedora and RHEL, CentOS, ScientificLinux. 

dnf -y install nss-tools

SERVICENAME="rhel7b.fluxcoil.net"

### create CA itself
cd /etc/pki/nssdb
mkdir CA_db
certutil -N -d CA_db
certutil -S -d CA_db -n "chorn test CA" \
  -s "CN=test,O=MYORG,L=Tokyo,C=JA" -t "CT,," -x -2
# Be sure to answer "Is this a CA certificate [y/N]?" with "y"!

# export cacert to x509
certutil -L -d CA_db -n "chorn test CA" -a -o CA_db/rootca.crt
# show details
certutil -L -d ./CA_db 

### create server/services db
mkdir /etc/pki/nssdb/server_db
certutil -N -d server_db
certutil -A -d server_db -n "chorn test CA" -t "TC,," -a -i CA_db/rootca.crt

### create a service cert, i.e. for https
certutil -R -d server_db \
  -s "CN=$SERVICENAME,O=MYORG,L=Tokyo,C=JA" \
  -a -o server_db/$SERVICENAME.req -v 12
certutil -C -d CA_db -c "chorn test CA" -a \
  -i server_db/$SERVICENAME.req -o server_db/$SERVICENAME.crt -2 # -6
certutil -A -d server_db -n $SERVICENAME -a \
  -i server_db/$SERVICENAME.crt -t ",,"
certutil -V -d server_db -u V -n $SERVICENAME

cd server_db/
openssl x509 -in $SERVICENAME.crt -noout -text
pk12util -d . -o $SERVICENAME.pk12 -n $SERVICENAME
openssl pkcs12 -clcerts -in $SERVICENAME.pk12 -out $SERVICENAME.pem

# create keyfile without passphrase
openssl rsa -in $SERVICENAME.pem \
  -out ${SERVICENAME}_key_nopass.pem

example httpd config

[root@rhel7a server_db]# yum -y install mod_ssl
[..]
[root@rhel7a server_db]# grep nssdb /etc/httpd/conf.d/ssl.conf 
SSLCertificateFile /etc/pki/nssdb/server_db/rhel7a.fluxcoil.net.pem
SSLCertificateKeyFile /etc/pki/nssdb/server_db/rhel7a.fluxcoil.net_key_nopass.pem
SSLCACertificateFile /etc/pki/nssdb/CA_db/rootca.crt
[root@rhel7a server_db]# systemctl start httpd
snippets/linux_quickshotsetups/certificate_authority.txt ยท Last modified: 2022/11/13 12:06 by 127.0.0.1

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Driven by DokuWiki