Steps to create a local CA and sign CSRs:¶

Info originally taken from spectlog; however, when I went back to rebuild my ldap environment, I found his site down. I obtained the commands from a cached page. I hope it comes back. Useful site, that…

Technical info:

Certificate Authority system: caauth.olearycomputers.com Certificate requesting system: ldapsvr.olearycomputers.com

Creating a CA: On the system which will be the CA:

yum -y update openssl

rm /etc/pki/CA/{cacert.pem,serial,crlnumber,cakey.pem,index.txt}
rm /etc/pki/tls/{server.example.com.csr}

cat /dev/null > /etc/pki/CA/index.txt
echo "01" > /etc/pki/CA/serial
echo "01" > /etc/pki/CA/crlnumber

openssl req -new -x509 -extensions v3_ca -keyout \
/etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem

On the system which needs a cert, generate a certificate signing request:

openssl req -out /tmp/ldapsvr.csr -days 365 -new -newkey rsa:2048 \
-nodes -keyout /etc/pki/tls/certs/slapdkey.pem

Copy /tmp/ldapsvr.csr to CA system

On the CA system, sign the csr:

openssl ca -policy policy_anything -out \
/etc/pki/CA/certs/ldapsvr.olearycomputers.com.crt \
-infiles /tmp/ldapsvr.csr

Copy both the crt and the CA public key back to the requesting system:

# scp /etc/pki/CA/certs/ldapsvr.olearycomputers.com.crt ldapsvr:/tmp
ldapsvr.olearycomputers.com.crt      100% 4763     4.7KB/s   00:00
# scp /etc/pki/CA/cacert.pem ldapsvr:/tmp
cacert.pem                           100% 1480     1.5KB/s   00:00

To revoke a certificate, execute:
- cd /etc/pki/CA
- openssl ca -revoke certs/nap.olearycomputers.com.crt

Steps to create a local CA and sign CSRs:¶

OCI

Navigation

Related Topics