Linux by Trial and Error

A repository of the things I learn about Linux

Create Self-Signed Certificate Authority in CentOS 6.3

First, a little housekeeping…

The pertinent details of my setup are that I’m running CentOS 6.3 and using the Virtual Machine Manager from the standard CentOS repositories. I created a VM with 15GB of disk and 1GB of memory to build my server. Not the most powerful system in the world, but sufficient to experiment with.

The OS for my VM was installed using the CentOS 6.3 minimal installation .iso so that it didn’t have any bells or whistles installed…just the basic OS. I pretty much did a default installation as I was not concerned with how my hard disk was partitioned as this was going to just be a scratch system.

The following steps were performed verbatim. In other words, since I just created this VM for the sole purpose of documenting these steps, I’m not masking anything. All input is exactly how I’m inputting it at the various prompts. The domain that I used really is and the passwords that I’m putting are the ones that I actually used. By the time you read this, my VM will be destroyed or rebuilt anyway, so it’s not exactly risky to include all the details I used, but I felt it would help to reduce confusion.

After the OS install, I set up the networking and then did a ‘yum update’ to get all my packages up to date. I’m not going to go into detail on all that here as that information is readily available all over the Internet. If you can’t get that far, you’re probably not ready to do this yet, anyway. The openssl package was already installed with the minimal installation.

Now…onto my Certficate Authority setup…

  1. Change directory to the default CA directory:
    # cd /etc/pki/CA
  2. Create an index file for new certs:
    # touch index.txt
  3. Set first certificate number:
    # echo ’01’ > serial
    # echo ’01’ > crlnumber
  4. Create your CA cert and private key for your CA server:
    # openssl req -new -x509 -extensions v3_ca -keyout private/ca-cert.key -out certs/ca-cert.crt -days 365
    Enter PEM pass phrase: PassPhrase
    Confirm PEM pass phrase: PassPhrase
    Country Name: US
    State: Kansas
    City: Topeka
    Organization: Example
    Organizational Unit: Example
    Common Name: CA
    E-mail Address:
  5. Set permissions on your private key:
    # chmod 400 private/ca-cert.key

Now, you’re ready to sign certificate requests. When you get a new certificate request, the following is what I did to generate a new cert signed by my very own CA:

  1. From your CA server, change directory to /etc/pki/CA
    # cd /etc/pki/CA
  2. Copy your certificate request to the /etc/pki/CA/crl directory
    # cp /root/ds1.csr /etc/pki/CA/crl
  3. Sign your cert using your CA
    # openssl ca -in crl/ds1.csr -out newcerts/ds1.pem -keyfile private/ca-cert.key -cert certs/ca-cert.crt
    Sign cert? y
    Commit? y

If you get an error about your stateOrProvinceName needing to be the same and it shows that they do, in fact, appear to be the same, what fixed that for me was editing the /etc/pki/tls/openssl.cnf file and setting the value ‘string_mask’ to ‘pkix’ and regenerating my CA cert (Step 4 above).

Hopefully, this will give you all the information you need to set up your CA so that you can sign your own certificates. Keep in mind that this does not mean that other systems/companies/whoever will actually trust your CA, or the certificates that you sign from it. But, for private, internal use you get to control which CA’s you trust and you can add your own to your list of Trusted CA’s.

If you have any questions or if anything is incorrect or unclear, please let me know. My purpose here is to document the steps I took to do this, so they seem to have worked correctly when I did them as described, but that does not mean that there isn’t a better, more efficient way to do it. Feedback is always welcome

March 21, 2013 Posted by | certs | , , , | 9 Comments