http://www.selinuxproject.org/w/?title=Labeled_NFS/Demo/Manual/LDAP/CA&action=history&feed=atom Labeled NFS/Demo/Manual/LDAP/CA - Revision history 2024-03-29T01:12:01Z Revision history for this page on the wiki MediaWiki 1.23.13 http://www.selinuxproject.org/w/?title=Labeled_NFS/Demo/Manual/LDAP/CA&diff=343&oldid=prev CraigGrube at 13:52, 11 December 2008 2008-12-11T13:52:34Z <p></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 13:52, 11 December 2008</td> </tr><tr><td colspan="2" class="diff-lineno">Line 1:</td> <td colspan="2" class="diff-lineno">Line 1:</td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>= <del class="diffchange diffchange-inline">Openssl SSL </del>Certificate =</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>= Certificate <ins class="diffchange diffchange-inline">Guide </ins>=</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The openssl package provides the necessary scripts for creating certificates.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The openssl package provides the necessary scripts for creating certificates.</div></td></tr> </table> CraigGrube http://www.selinuxproject.org/w/?title=Labeled_NFS/Demo/Manual/LDAP/CA&diff=342&oldid=prev CraigGrube: New page: = Openssl SSL Certificate = The openssl package provides the necessary scripts for creating certificates. * This include a certificate that can be used as a '''Certificate Authority (CA)'... 2008-12-11T13:51:42Z <p>New page: = Openssl SSL Certificate = The openssl package provides the necessary scripts for creating certificates. * This include a certificate that can be used as a &#039;&#039;&#039;Certificate Authority (CA)&#039;...</p> <p><b>New page</b></p><div>= Openssl SSL Certificate =<br /> <br /> The openssl package provides the necessary scripts for creating certificates.<br /> * This include a certificate that can be used as a '''Certificate Authority (CA)''' to then sign other created certificates<br /> <br /> == Preparation ==<br /> <br /> === edit /etc/pki/tls/openssl.cnf ===<br /> <br /> Change the following lines to something appropriate for the certificate that is going to be created. Changing this file isn't required as the script to create certificates will ask for the following data. But it can be easier to edit the data in a file and then just run the script and accept the defaults.<br /> <br /> &lt;pre&gt;<br /> [ req_distinguished_name ]<br /> countryName = Country Name (2 letter code)<br /> countryName_default = US<br /> countryName_min = 2<br /> countryName_max = 2<br /> <br /> stateOrProvinceName = State or Province Name (full name)<br /> stateOrProvinceName_default = Maryland<br /> <br /> localityName = Locality Name (eg, city)<br /> localityName_default = Columbia<br /> <br /> 0.organizationName = Organization Name (eg, company)<br /> 0.organizationName_default = setest<br /> <br /> # we can do this but it is not needed normally :-)<br /> #1.organizationName = Second Organization Name (eg, company)<br /> #1.organizationName_default = <br /> <br /> organizationalUnitName = Organizational Unit Name (eg, section)<br /> # organizationalUnitName_default = <br /> <br /> commonName = Common Name (eg, your name or your server\'s hostname)<br /> commonName_max = 64<br /> <br /> emailAddress = Email Address<br /> emailAddress_max = 64<br /> <br /> # SET-ex3 = SET extension number 3<br /> &lt;/pre&gt;<br /> <br /> == Creating the Certificate Authority (CA) ==<br /> <br /> === Options ===<br /> <br /> By default, the CA expires in three years. The default time value can be changed by editing CA script in /etc/pki/tls/misc/CA and changing '''CADAYS''' to the desired value.<br /> <br /> &lt;pre&gt;<br /> DAYS=&quot;-days 365&quot;<br /> CADAYS=&quot;-days 3650&quot;<br /> &lt;/pre&gt;<br /> <br /> The following step creates the Certificate Authority. Once the CA is created any number of child certificates (i.e. certificates signed by the CA and used by servers and possibly clients) can be created. The CA is the critical piece in the chain of trust for all the certificates signed by it and it is difficult to replace if the password is lost or broken (all the machines using it must be re-configured). The following should be observed:<br /> * Create a secure password.<br /> * Keep track of the password and who knows it.<br /> <br /> &lt;pre&gt;<br /> [root@sefos /etc/pki/tls/misc]# bash ./CA -newca<br /> CA certificate filename (or enter to create)<br /> <br /> Making CA certificate ...<br /> Generating a 1024 bit RSA private key<br /> ...................................................++++++<br /> ..++++++<br /> writing new private key to '../../CA/private/./cakey.pem'<br /> Enter PEM pass phrase:<br /> Verifying - Enter PEM pass phrase:<br /> -----<br /> You are about to be asked to enter information that will be incorporated<br /> into your certificate request.<br /> What you are about to enter is what is called a Distinguished Name or a DN.<br /> There are quite a few fields but you can leave some blank<br /> For some fields there will be a default value,<br /> If you enter '.', the field will be left blank.<br /> -----<br /> Country Name (2 letter code) [US]:<br /> State or Province Name (full name) [California]:<br /> Locality Name (eg, city) [Columbia]:<br /> Organization Name (eg, company) [setest]:<br /> Organizational Unit Name (eg, section) []:<br /> Common Name (eg, your name or your server's hostname) []:sefos.setest.com<br /> Email Address []:admin@setest.com<br /> <br /> Please enter the following 'extra' attributes<br /> to be sent with your certificate request<br /> A challenge password []:<br /> An optional company name []:<br /> Using configuration from /etc/pki/tls/openssl.cnf<br /> Enter pass phrase for ../../CA/private/./cakey.pem:<br /> Check that the request matches the signature<br /> Signature ok<br /> <br /> Certificate Details:<br /> Serial Number: 0 (0x0)<br /> Validity<br /> Not Before: Jun 16 23:17:27 2008 GMT<br /> Not After : Jun 14 23:17:27 2018 GMT<br /> Subject:<br /> countryName = US<br /> stateOrProvinceName = Maryland<br /> organizationName = setest<br /> commonName = setest.com<br /> emailAddress = admin@setest.com<br /> X509v3 extensions:<br /> X509v3 Basic Constraints:<br /> CA:FALSE<br /> Netscape Comment:<br /> OpenSSL Generated Certificate<br /> X509v3 Subject Key Identifier:<br /> 58:27:5B:5F:FA:53:F6:ED:BA:F1:28:F5:37:9A:F3:9B:4C:9B:61:FB<br /> X509v3 Authority Key Identifier:<br /> keyid:58:27:5B:5F:FA:53:F6:ED:BA:F1:28:F5:37:9A:F3:9B:4C:9B:61:FB<br /> <br /> Certificate is to be certified until Jun 14 23:17:27 2018 GMT (3650 days)<br /> <br /> Write out database with 1 new entries<br /> Data Base Updated<br /> &lt;/pre&gt;<br /> <br /> == Create a Server Certificate ==<br /> <br /> Now we move on to create a certificate for a server. Openssl is<br /> called directly in order to not require a password with the<br /> certificate. The 'CA' script can create a certificate using the<br /> '-newreq' option but it would require a password.<br /> * The fully qualified name of the server is required for the common name. <br /> ** This fully qualified name should resolve properly in DNS.<br /> <br /> &lt;pre&gt;<br /> [root@sefos /etc/pki/tls/misc]# openssl req -new -nodes -keyout newreq.pem -out newreq.pem<br /> Generating a 1024 bit RSA private key<br /> .............................++++++<br /> ................++++++<br /> writing new private key to 'newreq.pem'<br /> -----<br /> You are about to be asked to enter information that will be incorporated<br /> into your certificate request.<br /> What you are about to enter is what is called a Distinguished Name or a DN.<br /> There are quite a few fields but you can leave some blank<br /> For some fields there will be a default value,<br /> If you enter '.', the field will be left blank.<br /> -----<br /> Country Name (2 letter code) [US]:<br /> State or Province Name (full name) []:<br /> Locality Name (eg, city) []:<br /> Organization Name (eg, company) []:<br /> Organizational Unit Name (eg, section) []:<br /> Common Name (eg, your name or your server's hostname) []:sefos.setest.com<br /> Email Address []:admin@setest.com<br /> <br /> Please enter the following 'extra' attributes<br /> to be sent with your certificate request<br /> A challenge password []:<br /> An optional company name []:<br /> &lt;/pre&gt;<br /> <br /> The certificate is created and resides in /etc/pki/tls/newreq.pem.<br /> <br /> == Sign the Server Certificate ==<br /> <br /> &lt;pre&gt;<br /> [root@sefos /etc/pki/tls/misc]# bash ./CA -sign<br /> Using configuration from /etc/pki/tls/openssl.cnf<br /> Enter pass phrase for ../../CA/private/cakey.pem:<br /> Check that the request matches the signature<br /> Signature ok<br /> Certificate Details:<br /> Serial Number: 1 (0x1)<br /> Validity<br /> Not Before: Jun 16 23:29:08 2008 GMT<br /> Not After : Jun 16 23:29:08 2009 GMT<br /> Subject:<br /> countryName = US<br /> stateOrProvinceName = Maryland<br /> localityName = Columbia<br /> organizationName = setest<br /> commonName = sefos.setest.com<br /> emailAddress = admin@setest.com<br /> X509v3 extensions:<br /> X509v3 Basic Constraints:<br /> CA:FALSE<br /> Netscape Comment:<br /> OpenSSL Generated Certificate<br /> X509v3 Subject Key Identifier:<br /> 4E:A8:58:17:90:8D:2C:A6:C2:B4:1E:0A:0E:FD:BE:32:E8:89:12:D3<br /> X509v3 Authority Key Identifier:<br /> keyid:58:27:5B:5F:FA:53:F6:ED:BA:F1:28:F5:37:9A:F3:9B:4C:9B:61:FB<br /> <br /> Certificate is to be certified until Jun 16 23:29:08 2009 GMT (365 days)<br /> Sign the certificate? [y/n]:y<br /> <br /> <br /> 1 out of 1 certificate requests certified, commit? [y/n]y<br /> Write out database with 1 new entries<br /> Data Base Updated<br /> Certificate:<br /> Data:<br /> Version: 3 (0x2)<br /> Serial Number: 1 (0x1)<br /> Signature Algorithm: sha1WithRSAEncryption<br /> Issuer: C=US, ST=California, O=mikesoffice, CN=sefos.setest.com/emailAddress=admin@setest.com<br /> Validity<br /> Not Before: Jun 16 23:29:08 2008 GMT<br /> Not After : Jun 16 23:29:08 2009 GMT<br /> Subject: C=US, ST=Maryland, L=Columbia, O=setest, CN=sefos.setest.com/emailAddress=admin@setest.com<br /> Subject Public Key Info:<br /> Public Key Algorithm: rsaEncryption<br /> RSA Public Key: (1024 bit)<br /> Modulus (1024 bit):<br /> 00:c6:0b:49:11:65:52:fe:df:a8:af:fd:a3:3e:5a:<br /> 67:78:39:ad:e8:38:ee:05:36:64:19:ed:47:79:0b:<br /> 61:2a:03:04:d9:97:9f:09:bd:df:1e:49:16:d1:6a:<br /> d1:5e:ea:96:a5:c7:ad:d7:ba:c2:de:5d:78:a9:10:<br /> 12:24:6d:04:7e:ab:a8:20:1c:a0:56:a7:a3:48:fe:<br /> 4d:4d:9c:d4:22:05:29:36:7c:f5:2c:ce:fb:8c:86:<br /> 50:77:d3:3f:c7:19:25:81:db:e4:0f:08:f7:47:a0:<br /> e5:a0:4c:8e:be:61:91:82:b6:d4:36:33:11:49:a9:<br /> 90:f0:0f:dc:07:8d:7b:e8:99<br /> Exponent: 65537 (0x10001)<br /> X509v3 extensions:<br /> X509v3 Basic Constraints:<br /> CA:FALSE<br /> Netscape Comment:<br /> OpenSSL Generated Certificate<br /> X509v3 Subject Key Identifier:<br /> 4E:A8:58:17:90:8D:2C:A6:C2:B4:1E:0A:0E:FD:BE:32:E8:89:12:D3<br /> X509v3 Authority Key Identifier:<br /> keyid:58:27:5B:5F:FA:53:F6:ED:BA:F1:28:F5:37:9A:F3:9B:4C:9B:61:FB<br /> <br /> Signature Algorithm: sha1WithRSAEncryption<br /> 69:65:a5:26:8e:9a:e0:1c:4f:7b:b7:57:72:89:9e:16:3d:07:<br /> 18:95:af:c0:5d:b5:e4:56:70:b5:4c:05:80:82:3a:59:f4:82:<br /> 9c:87:16:4a:01:3c:a1:a2:88:39:4a:55:9b:92:9e:27:d9:ac:<br /> 51:16:8f:72:7b:14:92:37:24:3f:70:fd:28:b0:b3:28:73:b8:<br /> 7d:ee:86:42:dd:aa:6f:12:c9:2e:20:7c:10:be:5e:f8:c0:5d:<br /> 1e:6a:d5:4f:79:b9:2f:b6:ff:ac:45:ed:c3:a3:3c:d5:b2:c5:<br /> b6:21:fa:3b:8b:de:74:f4:09:a4:57:d2:2d:1a:32:06:04:38:<br /> 63:17<br /> -----BEGIN CERTIFICATE-----<br /> MIIDATCCAmqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB+MQswCQYDVQQGEwJVUzET<br /> MBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEChMLbWlrZXNvZmZpY2UxHjAcBgNV<br /> BAMTFXNlZm9zLm1pa2Vzb2ZmaWNlLmNvbTEkMCIGCSqGSIb3DQEJARYVYWRtaW5A<br /> bWlrZXNvZmZpY2UuY29tMB4XDTA4MDYxNjIzMjkwOFoXDTA5MDYxNjIzMjkwOFow<br /> gZExCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhS<br /> aWNobW9uZDEUMBIGA1UEChMLbWlrZXNvZmZpY2UxHjAcBgNVBAMTFXNlZm9zLm1p<br /> a2Vzb2ZmaWNlLmNvbTEkMCIGCSqGSIb3DQEJARYVYWRtaW5AbWlrZXNvZmZpY2Uu<br /> Y29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGC0kRZVL+36iv/aM+Wmd4<br /> Oa3oOO4FNmQZ7Ud5C2EqAwTZl58Jvd8eSRbRatFe6palx63XusLeXXipEBIkbQR+<br /> q6ggHKBWp6NI/k1NnNQiBSk2fPUszvuMhlB30z/HGSWB2+QPCPdHoOWgTI6+YZGC<br /> ttQ2MxFJqZDwD9wHjXvomQIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIB<br /> DQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUTqhY<br /> F5CNLKbCtB4KDv2+MuiJEtMwHwYDVR0jBBgwFoAUWCdbX/pT9u268Sj1N5rzm0yb<br /> YfswDQYJKoZIhvcNAQEFBQADgYEAaWWlJo6a4BxPe7dXcomeFj0HGJWvwF215FZw<br /> tUwFgII6WfSCnIcWSgE8oaKIOUpVm5KeJ9msURaPcnsUkjckP3D9KLCzKHO4fe6G<br /> Qt2qbxLJLiB8EL5e+MBdHmrVT3m5L7b/rEXtw6M81bLFtiH6O4vedPQJpFfSLRoy<br /> BgQ4Yxc=<br /> -----END CERTIFICATE-----<br /> Signed certificate is in newcert.pem<br /> &lt;/pre&gt;<br /> <br /> == Certificates ==<br /> <br /> * The CA certificate now resides in /etc/pki/CA/cacert.pem. <br /> * A server certificate resides in /etc/pki/tls/misc/newcert.pem</div> CraigGrube