Where *nix and security meet the general public
How to set up your CA, setup and verification
Change to the direcotry /opt/CA and type in:
CA.pl -newca
In the following questions hit ENTER on CA certificate filename and then enter a passphrase for the root certificate. Make sure it is complex and secret. DO NOT LOOSE THIS PASSWORD!!! EVER!!
Fill in the rest of the questions and if you notice in the [] fields are the defaults which you changed earlier. You can just hit ENTER and it will take the defaults. Once you are done look into your /opt/CA/ direcoty it shoud looke like this:
…and that is pretty much it. You now have a CA. Granted you probably have no idea what to do with it but that will change in the next few lines 
but first change the $DAYS variable in the CA.pl file back to 365 or any amount of days that your certificates should be valid.
We will now make the certificate you created a ?public? root certificate that you can use on your clients and give to your partners so that they can install it as a trusted certificate, by issuing this command:
openssl x509 -in cacert.pem -out 2blocks-root.crt
The resulting file 2blocks-root.crt you can publish. If you want to verify that your certificate is indeed a root certificate and working, put it on a website and point your webbrowser to it, it will show you what it is and ask you to add it to the trusted certificates like with Firefox you can see it in these screenshots. However this is just for verification, we will go into detail on this much later:
There you have it, you now have a CA and your root certificate is ready to be shared. Make sure you backup and store the cakey.pem file VERY securely.
If you have any suggestions or do not understand something please mail me or comment here and I will answer your questions.
//Flosse
Click here if you want to see the full index and brief of the OpenSSL for eveything “project”
No Tags
Popularity: 5% [?]
Pages: 1 2
[…] Until now as you read in the previous part of this series, we have a working CA and a good understanding of certificates. The next step is to explain how the issuing process works. To make a quick and dirty explanation: just like at a passport office. To make a longer explanation: just like at a passport office, you make a request (your application for a passport) and for that you will need some kind of document that describes WHAT you want (your application), this is submitted and a passport is issued based on the application you submitted (if the application is wrong, passport is denied!). with a CA you have to make/generate a certificate request, which in itself is kind of useless, it is like issuing your own passport , and this you submit to the CA, the administrator then signs the request and thus makes it a valid certificate which he then sends back to you and which you then can use. Your request does not have to be made at the CA, it can be made anywhere, as long as wherever you are you can generate a normal certificate request. once you have that you can send it to your administrator or use an online form to submit and sign (phpki or Windows Certificate services if you have that installed at your company). Maybe this graphic explains the process a little bit better: […]
[…] How to set up your CA, setup and verification […]