Create Self-Signed Certificate Authority in CentOS 6.3
First, a little housekeeping…
The pertinent details of my setup are that I’m running CentOS 6.3 and using the Virtual Machine Manager from the standard CentOS repositories. I created a VM with 15GB of disk and 1GB of memory to build my server. Not the most powerful system in the world, but sufficient to experiment with.
The OS for my VM was installed using the CentOS 6.3 minimal installation .iso so that it didn’t have any bells or whistles installed…just the basic OS. I pretty much did a default installation as I was not concerned with how my hard disk was partitioned as this was going to just be a scratch system.
The following steps were performed verbatim. In other words, since I just created this VM for the sole purpose of documenting these steps, I’m not masking anything. All input is exactly how I’m inputting it at the various prompts. The domain that I used really is example.com and the passwords that I’m putting are the ones that I actually used. By the time you read this, my VM will be destroyed or rebuilt anyway, so it’s not exactly risky to include all the details I used, but I felt it would help to reduce confusion.
After the OS install, I set up the networking and then did a ‘yum update’ to get all my packages up to date. I’m not going to go into detail on all that here as that information is readily available all over the Internet. If you can’t get that far, you’re probably not ready to do this yet, anyway. The openssl package was already installed with the minimal installation.
Now…onto my Certficate Authority setup…
- Change directory to the default CA directory:
# cd /etc/pki/CA - Create an index file for new certs:
# touch index.txt - Set first certificate number:
# echo ’01’ > serial
# echo ’01’ > crlnumber - Create your CA cert and private key for your CA server:
# openssl req -new -x509 -extensions v3_ca -keyout private/ca-cert.key -out certs/ca-cert.crt -days 365
Enter PEM pass phrase: PassPhrase
Confirm PEM pass phrase: PassPhrase
Country Name: US
State: Kansas
City: Topeka
Organization: Example
Organizational Unit: Example
Common Name: CA
E-mail Address: root@example.com - Set permissions on your private key:
# chmod 400 private/ca-cert.key
Now, you’re ready to sign certificate requests. When you get a new certificate request, the following is what I did to generate a new cert signed by my very own CA:
- From your CA server, change directory to /etc/pki/CA
# cd /etc/pki/CA - Copy your certificate request to the /etc/pki/CA/crl directory
# cp /root/ds1.csr /etc/pki/CA/crl - Sign your cert using your CA
# openssl ca -in crl/ds1.csr -out newcerts/ds1.pem -keyfile private/ca-cert.key -cert certs/ca-cert.crt
Sign cert? y
Commit? y
If you get an error about your stateOrProvinceName needing to be the same and it shows that they do, in fact, appear to be the same, what fixed that for me was editing the /etc/pki/tls/openssl.cnf file and setting the value ‘string_mask’ to ‘pkix’ and regenerating my CA cert (Step 4 above).
Hopefully, this will give you all the information you need to set up your CA so that you can sign your own certificates. Keep in mind that this does not mean that other systems/companies/whoever will actually trust your CA, or the certificates that you sign from it. But, for private, internal use you get to control which CA’s you trust and you can add your own to your list of Trusted CA’s.
If you have any questions or if anything is incorrect or unclear, please let me know. My purpose here is to document the steps I took to do this, so they seem to have worked correctly when I did them as described, but that does not mean that there isn’t a better, more efficient way to do it. Feedback is always welcome
Linux by Trial and Error 
[…] is essentially a continuation of my last post because I needed to set up a CA to sign certs in order to configure my Directory Server to use TLS. […]
Pingback by LDAP Directory Server on CentOS 6.3 Using TLS « Linux by Trial and Error | June 22, 2013 |
ds1.csr is missing.there is no such file.so how can i find it
The file name for step 5 should be ca-cert.key, not ca-key.key .
@Glenn,
Thanks for noticing that. I’ve made the correction.
Could you add a step that shows how to generate a certificate request in order to see “how” it gets signed?
Thanks.
Jay Johnson
Disregard… I “think” I just realized that I “was” generating certificates based on another article I was following along with that required me to get a certificate signed in order to use TLS with may voice server:
https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial
I believe what I need to do now is copy the (in the article’s example) “malcom.csr” file into the “/etc/pki/CA/crl” directory and it will “sign” my certificate, thus creating the additional “.pem” and “ca-cert.key” files, correct?
Jay
Making progress, but now I’m getting “The mandatory countryname field is missing.” I can see from the previous steps of #1 thru #5 in the first section that the countryname is there; why would it now be missing in steps #1 thru #3?
Jay
@Jay
It’s been a while since I’ve done this. If I can find some time I will build a VM to go through this again and see if I can find whatever might be missing. I just wrote down what I did the first time around, but I will have to look into why you’re getting th country code error. I would think it should be there from when you went through the first part.
Thanks for the feedback.
@kavinda
I will have to go through this myself again to see if I can find the answer to your question. This is a fairly old post so I don’t recall a lot if the particulars. I will go through this again when I can to answer your question and Jay’s question.
Thanks for the comment!