Private CA Certificate Authority

#PES Howto work ssl
#201502 reload new laptop
copy laptop* cert + key + ca from vigor
setup openvpn, get error 
sollution: ca is cacert.pem and not ca.crt

#20150110 add home linux
:/etc/ssl# openssl req -days 3650 -nodes -new -newkey rsa:2048 \
     -keyout demoCA/homeLinux201501.key.pem -out demoCA/homeLinux201501.csr.pem
:/etc/ssl# openssl ca -days 3650 -out demoCA/homeLinux201501.crt.pem -in demoCA/homeLinux201501.csr.pem

#20140906 add new laptop ssl cert
:/etc/ssl# openssl req -days 3650 -nodes -new -newkey rsa:2048 \
        -keyout demoCA/laptop201409.key.pem -out demoCA/laptop201409.csr.pem
openssl ca -days 3650 -out demoCA/laptop201409.crt.pem -in demoCA/laptop201409.csr.pem
#20140904
create dir /etc/ssl/demoCA
create CA inside see 1. below
openssl req -days 3650 -nodes -new -newkey rsa:2048 -x509 -keyout cakey.pem -out cacert.pem
:/etc/ssl# mkdir demoCA/private
:/etc/ssl# mv demoCA/cakey.pem demoCA/private/
:/etc/ssl# mkdir demoCA/newcerts
echo "01" > index.txt
:/etc/ssl/demoCA# ln -s ../index.txt
:/etc/ssl/demoCA# ln -s ../serial
:/etc/ssl# openssl req -days 3650 -nodes -new -newkey rsa:2048 \
        -keyout note3.key.pem -out note3.csr.pem
:/etc/ssl# openssl ca -days 3650 -out demoCA/note3.crt.pem -in demoCA/note3.csr.pem
openssl -in keycerts.pem  -export -name "My PKCS#12 file" -out fixed.p12
openssl -in note3.crt.pem -export -name "Notes3" -out note3.p12
openssl pkcs12 -export -out note3.p12 -inkey note3.key.pem -in note3.crt.pem -certfile cacert.pem
## Create server p12 ##
:/etc/ssl# openssl req -days 3650 -nodes -new -newkey rsa:2048 \
        -keyout demoCA/server2014.key.pem -out demoCA/server2014.csr.pem
openssl ca -days 3650 -out demoCA/server2014.crt.pem -in demoCA/server2014.csr.pem
openssl pkcs12 -export -out demoCA/server2014.p12 -inkey demoCA/server2014.key.pem -in demoCA/server2014.crt.pem
http://www.blackmanticore.com/64b9167ac2668861dd638a55273d8a5a
http://mia.ece.uic.edu/~papers/volans/settingupCA.html

http://sapiens.wustl.edu/~sysmain/info/openssl/openssl_ca.html
gvim /usr/share/doc/mysql-server/SSL-MINI-HOWTO.txt.gz

1. Create CA
mkdir /root/cert ; cd /root/cert
openssl req -days 3650 -nodes -new -newkey rsa:2048 -x509 -keyout ca.key -out ca.crt

2. Setup /etc/ssl
echo "01" > /etc/ssl/serial
touch /etc/ssl/index.txt
mkdir /etc/ssl/newcerts
ln -s /root/cert/ca.crt /etc/ssl/cacert.pem
ln -s /root/cert/ca.key /etc/ssl/private/cakey.pem

3. As normal user create certificate request
mkdir ~/cert ; cd ~/cert
openssl req -days 3650 -nodes -new -newkey rsa:2048 \
        -keyout timone.key.pem -out timone.csr.pem
>> send to ca

4. As CA sign request e.g. timone.csr
openssl ca -days 3650 -out timone.crt.pem -in timone.csr.pem
>> send back
example2
        openssl x509 -req -days 9999 \
          -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial \
          -CAserial ca-srl.txt -in server-csr.pem -out server-cert.pem



Optional AS CA build and sign
openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr
openssl ca -days 3650 -out $1.crt -in $1.csr

...

Linux/CertificateAuthority (last edited 2017-01-27 00:28:19 by PieterSmit)