/var/ssl-ca

Welcome to the first hands on part of your own OpenSSL Certificate environment (PKI)!
We wills tart by creating our own CA , this means a root certificate and a private key that will be used to sign all your certificates.

For this we will need a standard installation of Debian 3.1 or any *nix machine but you will need to change the commands and file locations. To make it easier i put in () under each file location a way to find the same files on your system. The installation should be done with the Linux 2.6 kernel so if you install from a network install cd (highly recommended) enter linux26 at the prompt as shown in this screenshot.

CA step1

Then do a normal installation and in the end select WEBSERVER and no other services. This will install all necessary packages for the purpose of this how-to. Also make sure you give the server a static IP since this server will be on at any given time and should change its IP configuration.

The installation time will vary, but on a 8mbit ADSL link it took from start to finish in a virtual machine about 15 minutes.

Make sure you write down the root account and create a administrator user account that admins should use. NEVER LOG IN WITH ROOT!!! ALWAYS USE ?su -?.

Once the installation is done you should have a screen like this:

CA step 2

Now you are ready to begin this journey and you do not need to do this from the console, you can do it remotely with SSH using the command line in Linux/Unix, Mac OS X or putty in Windows.
Once you are logged in, switch to root by typing in su ? and ENTER then enter the password for root. You now should have a screen like this:

CA step 3

Now first of all we need to make the CA directories where all the CA things will happen. Since I decided to put this all in /opt/CA I need to create the directory /opt/CA and then change to that directory:

bully2# mkdir /opt/CA
bully2# cd /opt/CA

Next we nee the CA.pl utility from your system, you need to copy this into a path where it is easy to run and access instead of typing everytime the long path. We will copy it to /usr/sbin:

bully2# cp /usr/lib/ssl/misc/CA.pl /usr/sbin/

and we then edit a few things in that CA.pl file. Look for $DAYS and $CATOP and change the $DAYS to 3650 which is 10 years validity. This step we will undo once we have a CA made since the CA should be valid for 10 years but not the actual certificates you will issue. Change the $CATOP to the directory structure that you will use. In my case I will just put ?.? which means the current working directory. Since I am in /opt/CA and will always work from there it is good enough. Otherwise you can put there ?/opt/CA/”, then it will always work there , regardless of where you are in the system. Save the file and then edit /etc/ssl/openssl.cnf and change the fields with the ending _default in the [req_distinguished_name] to reflect your company , in my case it looks like this:

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = FI
countryName_min = 2
countryName_max = 2

stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Finland
localityName = Locality Name (eg, city)
localityName_default = Helsinki
0.organizationName = Organization Name (eg, company)
0.organizationName_default = 2BLOCKS
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = 2 Blocks away
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = CA
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = flosse@2blocksaway.com
emailAddress_max = 40
# SET-ex3 = SET extension number 3

next change all the nsComment as well:

nsComment = “Certificate issued by 2Blocksaway.com”

And lastly change all the BaseURL and RevocationURLs to reflect your company (the URLs should be a website that you will establish later on but you should have that info already).
Save the file and lets get started then.

No Tags
Digg!

Popularity: 5% [?]

Pages: 1 2