Skip to content


How do I configure a CA and sign certificates using OpenSSL in Red Hat and Oracle LINUX

1. Set up /etc/pki/CA as your certificate authority’s working directory. To do this, open /etc/pki/tls/openssl.cnf in a text editor. Find the section labelled “[CA_default]”, and edit the following lines in the section to read:

dir = /etc/pki/CA
certificate = $dir/my-ca.crt
crl = $dir/my-ca.crl
private_key = $dir/private/my-ca.key

2. Edit the [policy_match] section of /etc/pki/tls/openssl.cnf

[policy_match]
countryName= optional
stateOrProvinceName= optional
organizationName= optional
organizationalUnitName= optional
commonName= supplied
emailAddress= optional

3. Edit the “[req_distinguished_name]” section to fit your needs

[req_distinguished_name]
countryName_default =US
stateOrProvinceName_default = Pensylvannia
localityName_default = Wallingford
organizationName_default = WMD LLC.

4. Create the following directories if missing

# mkdir /etc/pki/CA/{certs,crl,newcerts}

5. Create an empty certificate index:

# touch /etc/pki/CA/index.txt

6. Create a file to indicate the next certificate serial number to be issued:

# echo 01 > /etc/pki/CA/serial

7. While in /etc/pki/CA, you need to generate a private key and a self-signed CA certificate. You will be prompted for a passphrase, which will be needed later:

# (umask 077; openssl genrsa -out private/my-ca.key -des3 2048)

8. For your CA certificate, take the defaults for CountryName, StateOrProvinceName, LocalityName, and Organization, and for CommonName use”$hostname Certificate Authority”. Set the other fields as you see fit:

# openssl req -new -x509 -key private/my-ca.key -days 1000 > my-ca.crt

The /etc/pki/CA/private/my-ca.key file is the private key for your CA. This file must be very carefully protected. The my-ca.crt file is the public CA certificate that will eventually be distributed to your users.

9. Let’s assume that we need to sign a server certificate of our LDAP host. Create a private key for the service on the appropriate LDAP host and copy it to the CA host.

#  openssl genrsa 1024 > ldap_server.key

10. Back to the CA host – use the openssl command to sign the copied LDAP host certificate.

# openssl ca -config /etc/pki/tls/openssl.cnf -out ldap_server.crt -infiles ldap_server.key

11. Install the ldap_server.crt on the appropriate host

Posted in LINUX.


0 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



Some HTML is OK

or, reply to this post via trackback.

WordPress Anti Spam by WP-SpamShield



Copyright © 2016 - 2017 Waldemar Mark Duszyk. All Rights Reserved. Created by Blog Copyright.