To install a CA on a Linux server, install the following packages:
# aptitude install -y openssl ssl-cert
Once this is installed, edit the default configuration file:
# vim /etc/ssl/openssl.cnf
and change the following settings so it matches your environment:
countryName_default = DK
stateOrProvinceName_default = DK
localityName_default = Copenhagen
0.organizationName_default = SEFNET
organizationalUnitName_default = IT Dept.
Save and exit.
To create a root CA we will first create a CA key:
# openssl genrsa -des3 -out ca.key 4096
Note down the password used for the key file, since you will need it every time you create a new certificate. This is your root CA password!
Now we will generate a root CA certificate using the key. Fill out the required information. Note that Common Name must be FQDN of your root CA server.
# openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.pem
Now you have both the certificate and the key and you can distribute your root CA certificate (not the key) to your clients.
To create a client (server) certificate first, we need to generate a certificate signing request (CRS). First, we create a key file:
# openssl genrsa -out rocket01.sefnet.net.key 4096
Then, create the CSR file:
# openssl req -new -key rocket01.sefnet.net.key -out rocket01.sefnet.net.csr
Now we need to create the configuration file that will be used to create an SSL certificate:
# vim rocket01.sefnet.net.ext
And add the following lines:
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names]
DNS.1 = rocket01.sefnet.net
Save and exit.
Now, create an SSL certificate using the CSR, key, and the configuration file:
# openssl x509 -req -in rocket01.sefnet.net.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out rocket01.sefnet.net.crt -days 365 -sha256 -extfile rocket01.sefnet.net.ext
Note that, since September 1st, 2020, SSL/TLS certificates cannot be issued for more than 13 months (397 days).
Now we need to install the client (server) certificate. Copy the root CA SSL certificate, client certificate, and the corresponding key file to your client (server) machine:
# cp ca.pem rocket01.sefnet.net.crt /etc/ssl/certs
# cp rocket01.sefnet.net.key /etc/ssl/private
# chown root:ssl-cert /etc/ssl/private/rocket01.sefnet.net.key
# chmod 640 /etc/ssl/private/rocket01.sefnet.net.key