Steps to create a local CA and sign CSRs:ΒΆ

Info originally taken from spectlog; however, when I went back to rebuild my ldap environment, I found his site down. I obtained the commands from a cached page. I hope it comes back. Useful site, that...

Technical info:

Certificate Authority system: caauth.olearycomputers.com Certificate requesting system: ldapsvr.olearycomputers.com

  • Creating a CA: On the system which will be the CA:

    yum -y update openssl
    
    rm /etc/pki/CA/{cacert.pem,serial,crlnumber,cakey.pem,index.txt}
    rm /etc/pki/tls/{server.example.com.csr}
    
    cat /dev/null > /etc/pki/CA/index.txt
    echo "01" > /etc/pki/CA/serial
    echo "01" > /etc/pki/CA/crlnumber
    
    openssl req -new -x509 -extensions v3_ca -keyout \
    /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem
    
  • On the system which needs a cert, generate a certificate signing request:

    openssl req -out /tmp/ldapsvr.csr -days 365 -new -newkey rsa:2048 \
    -nodes -keyout /etc/pki/tls/certs/slapdkey.pem
    
  • Copy /tmp/ldapsvr.csr to CA system

  • On the CA system, sign the csr:

    openssl ca -policy policy_anything -out \
    /etc/pki/CA/certs/ldapsvr.olearycomputers.com.crt \
    -infiles /tmp/ldapsvr.csr
    
  • Copy both the crt and the CA public key back to the requesting system:

    # scp /etc/pki/CA/certs/ldapsvr.olearycomputers.com.crt ldapsvr:/tmp
    ldapsvr.olearycomputers.com.crt      100% 4763     4.7KB/s   00:00
    # scp /etc/pki/CA/cacert.pem ldapsvr:/tmp
    cacert.pem                           100% 1480     1.5KB/s   00:00
    
  • To revoke a certificate, execute:

    • cd /etc/pki/CA
    • openssl ca -revoke certs/nap.olearycomputers.com.crt