Wiki

User Tools

Site Tools

Trace:
ubuntu:certificates:create_a_private_certificate_authority

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
ubuntu:certificates:create_a_private_certificate_authority [2019/11/29 22:57] – created peterubuntu:certificates:create_a_private_certificate_authority [2020/07/15 09:30] (current) – external edit 127.0.0.1
Line 19: Line 19:
 This password will be used everytime you sign a certificate with this CA. This password will be used everytime you sign a certificate with this CA.
  
-<WRAP important> +----
-**WARNING:** Make sure unauthorized users don’t get access to your private key! +
-</WRAP>+
  
 +===== Prevent unauthorized users accessing to your private key! =====
 +
 +<code bash>
 +chmod 700 ca.key
 +</code>
 +
 +----
 +
 +===== Create the top-level certificate =====
 +
 +This will be shown as the top level certificate when you have signed other certificates so choose expiration day and the certificate contents carefully.
 +
 +All signed certificates will expirate if the top level certificate expires so you may want to choose a few years here
 +
 +<code bash>
 +openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
 +</code>
 +
 +Here is a sample of input values:
 +
 +<code bash>
 +Enter pass phrase for ca.key:
 +You are about to be asked to enter information that will be incorporated
 +into your certificate request.
 +What you are about to enter is what is called a Distinguished Name or a DN.
 +There are quite a few fields but you can leave some blank
 +For some fields there will be a default value,
 +If you enter '.', the field will be left blank.
 +-----
 +Country Name (2 letter code) [AU]:UK
 +State or Province Name (full name) [Some-State]:
 +Locality Name (eg, city) []:
 +Organization Name (eg, company) [Internet Widgits Pty Ltd]:ShareWiz
 +Organizational Unit Name (eg, section) []:
 +Common Name (eg, YOUR name) []:ShareWiz CA
 +Email Address []:
 +</code>
 +
 +Common name will be shown when users are displaying details about the certificate.
 +
 +
 +===== Create a certificate request =====
 +
 +Create a private key:
 +
 +<code bash>
 +openssl genrsa -des3 -out secure.sharewiz.net.key 4096
 +</code>
 +
 +----
 +
 +Create the certificate request
 +
 +<code bash>
 +openssl req -new -key secure.sharewiz.net.key -out secure.sharewiz.net.csr
 +</code>
 +
 +Make sure you put your domain name in the “Common Name” field
 +
 +----
 +
 +===== Sign the certificate with your CA certificate =====
 +
 +You will need to provide the certificate request here and the CA key.
 +
 +<code bash>
 +openssl x509 -req -days 365 -in secure.sharewiz.net.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out secure.sharewiz.net.crt
 +</code>
 +
 +----
 +
 +===== Remove password from key (optional) =====
 +
 +If using the certificate with Apache, Postfix or other services you may need to replace the password in your private key so that the service can start without user interaction.
 +
 +<code bash>
 +openssl rsa -in secure.sharewiz.net.key -out secure.sharewiz.net.key.insecure
 +mv secure.sharewiz.net.key secure.sharewiz.net.key.secure
 +mv secure.sharewiz.net.key.insecure secure.sharewiz.net.key
 +</code>
 +
 +----
 +
 +===== Set permissions on the keys =====
 +
 +<code bash>
 +chmod 700 secure.sharewiz.net.key
 +chmod 700 secure.sharewiz.net.key.secure
 +</code>
  
ubuntu/certificates/create_a_private_certificate_authority.1575068242.txt.gz · Last modified: 2020/07/15 09:30 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki