![]() ![]() ĭefault_ca = CA_default # The default ca sectionĭir = /root/tls # Where everything is keptĬerts = $dir/certs # Where the issued certs are keptĭatabase = $dir/index.txt # database index file. The x509_extensions key specifies the name of a section that will contain the extensions to be added to each certificate issued by our CA. Make sure you declare the directory you chose earlier /root/tls. The section contains a range of defaults. The value is the name of a section containing the configuration for the default CA. For our purposes, this section is quite simple, containing only a single key: default_ca. The OpenSSL command for the CA functions is aptly named ca, and so the first section that we’re interested in is named ca. include /etc/crypto-policies/back-ends/nfig root/tls and will modify the content of this file to create Root CA Certificate HOME =. We will copy this file to your custom certificate location i.e. We will have a default configuration file openssl.cnf in RHEL/CentOS 7/8 under /etc/pki/tls/openssl.cnf which is added by the openssl rpm. Step 4: Configure openssl.cnf for Root CA Certificate rw-r-r- 1 root root 3 Apr 9 03:37 serial rw-r-r- 1 root root 32 Apr 8 23:25 mypass.encĭrwxr-xr-x 2 root root 4096 Apr 9 03:34 private rw-r-r- 1 root root 0 Apr 9 03:36 index.txt tls]# touch index.txtĬheck the list of contents under /root/tls tls]# ls -lĭrwxr-xr-x 2 root root 4096 Apr 8 22:29 certs Since no certificates have been issued at this point and OpenSSL requires that the file exist, we’ll simply create an empty file. Next we will create index.txt file which is a database of sorts that keeps track of the certificates that have been issued by the CA. It expects the value to be in hex, and it must contain at least two digits, so we must pad the value by prepending a zero to it. OpenSSL is somewhat quirky about how it handles this file. It’s important that no two certificates ever be issued with the same serial number from the same CA. The private key should be stored in hardware, or at least on a machine that is never put on a network tls]# mkdir certs privateīesides key generation, we will create three files that our CA infrastructure will need.Ī serial file is used to keep track of the last serial number that was used to issue a certificate. The private key should never be disclosed to anyone not authorized to issue a certificate or CRL from our CA. ![]() ![]() The one notable exception is the CA certificate’s private key. ![]() The majority of the files that the CA uses are visible to anyone on the system or at least to anyone who makes any use of the certificates issued by our CA.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |