Super-quick Guide to Setting Up Your Own CA
|| Home | Protocols | TLS ||
In order to run a secure (SSL/TLS encrypted) service, you have to have a private key and a certificate for the server. For Intranet or special-purpose uses, you can be your own Certificate Authority (CA). This is accomplished with standard OpenSSL tools.
First, we will make a new directory for working with the certificates and keys:
[root]# mkdir /root/CA [root]# chmod 0700 /root/CA [root]# cd /root/CA
Now, we will make a private CA key and a private CA X.509 certificate:
[root]# openssl genrsa -des3 -out my-ca.key 2048 Generating RSA private key, 2048 bit long modulus .....................................................+++ ...................................................+++ e is 65537 (0x10001) Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: [root]# openssl req -new -x509 -days 3650 -key my-ca.key -out my-ca.crt Using configuration from /usr/share/ssl/openssl.cnf Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:Kentucky Locality Name (eg, city) [Newbury]:Fayette County Organization Name (eg, company) [My Company Ltd]:VanEmery.Com Organizational Unit Name (eg, section) :Certificate Authority Common Name (eg, your name or your server's hostname) :VanEmery.Com CA Email Address :firstname.lastname@example.org
The first OpenSSL command makes the key. The second command makes the X.509 certificate with a 10-year lifetime.
This command lets you view the completed certificate:
[root]# openssl x509 -in my-ca.crt -text -noout
Now that you are done, please read and heed the following:
Now that you are finished, you need to make backups of the certificates and keys. You can and should back this data up to CDs, floppies, and paper. Make sure that you also record the key's password in a safe place. The certs, keys, and passwords should then be locked up in a safe place.