==========================================
Steps to create a local CA and sign CSRs:
==========================================

Info originally taken from spectlog_; however, when I went back to rebuild
my ldap environment, I found his site down.  I obtained the commands from
a cached page.  I hope it comes back.  Useful site, that...

.. _spectlog: http://spectlog.com/content/Create_Certificate_Authority_(CA)_instead_of_using_self-signed_Certificates

Technical info:

Certificate Authority system:   caauth.olearycomputers.com
Certificate requesting system:  ldapsvr.olearycomputers.com

*   Creating a CA: On the system which will be the CA: ::

        yum -y update openssl

        rm /etc/pki/CA/{cacert.pem,serial,crlnumber,cakey.pem,index.txt}
        rm /etc/pki/tls/{server.example.com.csr}

        cat /dev/null > /etc/pki/CA/index.txt
        echo "01" > /etc/pki/CA/serial
        echo "01" > /etc/pki/CA/crlnumber

        openssl req -new -x509 -extensions v3_ca -keyout \
        /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem

*   On the system which needs a cert, generate a certificate signing 
    request: ::

        openssl req -out /tmp/ldapsvr.csr -days 365 -new -newkey rsa:2048 \
        -nodes -keyout /etc/pki/tls/certs/slapdkey.pem

*   Copy /tmp/ldapsvr.csr to CA system

*   On the CA system, sign the csr: ::

        openssl ca -policy policy_anything -out \
        /etc/pki/CA/certs/ldapsvr.olearycomputers.com.crt \
        -infiles /tmp/ldapsvr.csr

*   Copy both the crt and the CA public key back to the requesting system: ::

        # scp /etc/pki/CA/certs/ldapsvr.olearycomputers.com.crt ldapsvr:/tmp
        ldapsvr.olearycomputers.com.crt      100% 4763     4.7KB/s   00:00    
        # scp /etc/pki/CA/cacert.pem ldapsvr:/tmp                           
        cacert.pem                           100% 1480     1.5KB/s   00:00    

*   To revoke a certificate, execute:

    *   ``cd /etc/pki/CA``
    *   ``openssl ca -revoke certs/nap.olearycomputers.com.crt``