Setup Own CA (Certificate authority) server on centos 7
Login to centos 7 box
Install openssl if not present
# yum install -y openssl
create few directories if not present
# mkdir certs newcerts private crl
change your directory now
# cd /etc/pki/CA
create a file
# touch index.txt
create a seriol file with 01 series index
# echo 01 > serial
create a randam rand file for certificates
# openssl rand -out private/.rand 1000
Create your CA key fill alll the information required with passphrase
# openssl genrsa -aes256 -out private/cakey.pem 1024
Create request with this key
# openssl req -new -key private/cakey.pem -out private/ca.csr -subj "/C=CN/ST=Maharashtra/L=Pune/O=MyLab/OU=security/CN=mylabadmin"
create your CA certificate
# openssl x509 -req -days 365 -sha1 -extensions v3_ca -signkey private/cakey.pem -in private/ca.csr -out certs/ca.cer
create a server key now
# openssl genrsa -aes256 -out private/server-key.pem 1024
create server configuration file with all information prefilled.
# vim myserver.conf
content will be as bellow. copy bellow content and change as per your need.
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = v3_req
x509_extensions = v3_req
[req_distinguished_name]
countryName = IN
countryName_default = IN
stateOrProvinceName = Maharashtra
stateOrProvinceName_default = Maharashtra
localityName = Pune
localityName_default = Pune
organizationName = My Lab Local
organizationName_default = mylablocal
commonName = mylabadmin
commonName_max = 64
[v3_req]
subjectAltName = @alt_names
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
[alt_names]
DNS.1 = route.mylab.local
save and exit
now create server key using this server conf file
# openssl req -new -key private/server-key.pem -out private/server.csr -config myserver.conf
generate server certificate signing request
# openssl req -noout -text -in private/server.csr
Generate server certificate with your CA
# openssl x509 -req -days 365 -sha1 -extfile myserver.conf -extensions v3_req -CA certs/ca.cer -CAkey private/cakey.pem -CAserial ca.srl -CAcreateserial -in private/server.csr -out certs/server.cer
# openssl x509 -noout -text -in certs/server.cer
Create a client key now and generate certificate signed by CA
# openssl genrsa -aes256 -out private/client-key.pem 1024
# openssl req -new -key private/client-key.pem -out private/client.csr -subj "/C=CN/ST=Maharashtra/L=Pune/O=MyLab/OU=security/CN=mylabadmin"
# openssl x509 -req -days 365 -sha1 -extensions v3_req -CA certs/ca.cer -CAkey private/cakey.pem -CAserial ca.srl -in private/client.csr -out certs/client.cer
Now we will genearate a CSR for nginx webserver website domain and signed with our CA
Setup nginx webserver first
# yum install nginx -y
# systemctl enable nginx
# systemctl start nginx
# firewall-cmd --permanent --add-port=443/tcp
# firewall-cmd --permanent --add-port=80/tcp
# firewall-cmd --reload
Now generate CSR and fill domain name ( in my case webserver1.mylab.local ) when asked to fill hostname
# openssl req -new -nodes -sha256 -out certificate_request.csr -newkey rsa:2048 -keyout certificate_key.key -extensions v3_req
Now we have a CSR and key
Sign the CSR using CA
# openssl x509 -req -days 730 -in certificate_request.csr -CA /etc/pki/CA/certs/ca.cer -CAkey /etc/pki/CA/private/cakey.pem -CAcreateserial -out cockpit_certificate.crt -extensions v3_req -sha256
# cp certificate_key.key /etc/ssl/private/apache-selfsigned.key
# cp cockpit_certificate.crt /etc/ssl/certs/apache-selfsigned.crt
now you put this block in your nginx conf file
server {
listen 443 ssl http2;
server_name localhost;
ssl_certificate /etc/ssl/certs/apache-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/apache-selfsigned.key;
location / {
.......
....
}
}
# systemctl restart nginx
Install openssl if not present
# yum install -y openssl
create few directories if not present
# mkdir certs newcerts private crl
change your directory now
# cd /etc/pki/CA
create a file
# touch index.txt
create a seriol file with 01 series index
# echo 01 > serial
create a randam rand file for certificates
# openssl rand -out private/.rand 1000
Create your CA key fill alll the information required with passphrase
# openssl genrsa -aes256 -out private/cakey.pem 1024
Create request with this key
# openssl req -new -key private/cakey.pem -out private/ca.csr -subj "/C=CN/ST=Maharashtra/L=Pune/O=MyLab/OU=security/CN=mylabadmin"
create your CA certificate
# openssl x509 -req -days 365 -sha1 -extensions v3_ca -signkey private/cakey.pem -in private/ca.csr -out certs/ca.cer
create a server key now
# openssl genrsa -aes256 -out private/server-key.pem 1024
create server configuration file with all information prefilled.
# vim myserver.conf
content will be as bellow. copy bellow content and change as per your need.
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = v3_req
x509_extensions = v3_req
[req_distinguished_name]
countryName = IN
countryName_default = IN
stateOrProvinceName = Maharashtra
stateOrProvinceName_default = Maharashtra
localityName = Pune
localityName_default = Pune
organizationName = My Lab Local
organizationName_default = mylablocal
commonName = mylabadmin
commonName_max = 64
[v3_req]
subjectAltName = @alt_names
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
[alt_names]
DNS.1 = route.mylab.local
save and exit
now create server key using this server conf file
# openssl req -new -key private/server-key.pem -out private/server.csr -config myserver.conf
generate server certificate signing request
# openssl req -noout -text -in private/server.csr
Generate server certificate with your CA
# openssl x509 -req -days 365 -sha1 -extfile myserver.conf -extensions v3_req -CA certs/ca.cer -CAkey private/cakey.pem -CAserial ca.srl -CAcreateserial -in private/server.csr -out certs/server.cer
# openssl x509 -noout -text -in certs/server.cer
Create a client key now and generate certificate signed by CA
# openssl genrsa -aes256 -out private/client-key.pem 1024
# openssl req -new -key private/client-key.pem -out private/client.csr -subj "/C=CN/ST=Maharashtra/L=Pune/O=MyLab/OU=security/CN=mylabadmin"
# openssl x509 -req -days 365 -sha1 -extensions v3_req -CA certs/ca.cer -CAkey private/cakey.pem -CAserial ca.srl -in private/client.csr -out certs/client.cer
Now we will genearate a CSR for nginx webserver website domain and signed with our CA
Setup nginx webserver first
# yum install nginx -y
# systemctl enable nginx
# systemctl start nginx
# firewall-cmd --permanent --add-port=443/tcp
# firewall-cmd --permanent --add-port=80/tcp
# firewall-cmd --reload
Now generate CSR and fill domain name ( in my case webserver1.mylab.local ) when asked to fill hostname
# openssl req -new -nodes -sha256 -out certificate_request.csr -newkey rsa:2048 -keyout certificate_key.key -extensions v3_req
Now we have a CSR and key
Sign the CSR using CA
# openssl x509 -req -days 730 -in certificate_request.csr -CA /etc/pki/CA/certs/ca.cer -CAkey /etc/pki/CA/private/cakey.pem -CAcreateserial -out cockpit_certificate.crt -extensions v3_req -sha256
# cp certificate_key.key /etc/ssl/private/apache-selfsigned.key
# cp cockpit_certificate.crt /etc/ssl/certs/apache-selfsigned.crt
now you put this block in your nginx conf file
server {
listen 443 ssl http2;
server_name localhost;
ssl_certificate /etc/ssl/certs/apache-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/apache-selfsigned.key;
location / {
.......
....
}
}
# systemctl restart nginx
Comments
Post a Comment