Steps to create a local CA and sign CSRs:¶
Info originally taken from spectlog; however, when I went back to rebuild my ldap environment, I found his site down. I obtained the commands from a cached page. I hope it comes back. Useful site, that…
Technical info:
Certificate Authority system: caauth.olearycomputers.com Certificate requesting system: ldapsvr.olearycomputers.com
Creating a CA: On the system which will be the CA:
yum -y update openssl rm /etc/pki/CA/{cacert.pem,serial,crlnumber,cakey.pem,index.txt} rm /etc/pki/tls/{server.example.com.csr} cat /dev/null > /etc/pki/CA/index.txt echo "01" > /etc/pki/CA/serial echo "01" > /etc/pki/CA/crlnumber openssl req -new -x509 -extensions v3_ca -keyout \ /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem
On the system which needs a cert, generate a certificate signing request:
openssl req -out /tmp/ldapsvr.csr -days 365 -new -newkey rsa:2048 \ -nodes -keyout /etc/pki/tls/certs/slapdkey.pem
Copy /tmp/ldapsvr.csr to CA system
On the CA system, sign the csr:
openssl ca -policy policy_anything -out \ /etc/pki/CA/certs/ldapsvr.olearycomputers.com.crt \ -infiles /tmp/ldapsvr.csr
Copy both the crt and the CA public key back to the requesting system:
# scp /etc/pki/CA/certs/ldapsvr.olearycomputers.com.crt ldapsvr:/tmp ldapsvr.olearycomputers.com.crt 100% 4763 4.7KB/s 00:00 # scp /etc/pki/CA/cacert.pem ldapsvr:/tmp cacert.pem 100% 1480 1.5KB/s 00:00
To revoke a certificate, execute:
cd /etc/pki/CA
openssl ca -revoke certs/nap.olearycomputers.com.crt