A/I Orange Book (1.0): An how-to for the realization of a resilient network of self-managed servers | ||
---|---|---|
Prev | Chapter 7. Certification Authority | Next |
Now we can create our certificates request (for example the web certificate):
$ openssl req -new -keyout $CADIR/certs/web_key.pem \ -out $CADIR/certs/web_req.pem -days 1097 -nodesDuring the creation process, we will be asked the OU and the CN that are to be filled with the type of service and the dn the service refers to.
The subjectAltName (nice X.509v3 extensions) will be specified in the /opt/ca/ext file and will be added to the certificate when the request will be signed with the CA root certificate.
The -nodes option allows us to avoid the encryption of the key, so that we do not need to fill in a passphrase during the management and use of the key itself. In case we give a request without this option, the passphrase deleting from the key can be achieved by typing the following command:
$ openssl rsa -in $CADIR/certs/web_key.pem \ -out $CADIR/certs/web_key.pem
Let's see how we ask for a certificate:
$ openssl req -text -noout -in $CADIR/certs/web_req.pemWe can now sign it:
$ openssl ca -days 1097 -policy policy_anything \ -out $CADIR/certs/web_cert.pem \ -extfile $CADIR/ext/webserver.ext \ -infiles $CADIR/certs/web_req.pem
Now we can delete the web_req.pem file and move the web_cert.pem certificate and its key to all servers.
Let's see how the certificate has been changed:
$ openssl x509 -text -noout -in $CADIR/certs/web_cert.pemWe can see that some extensions have been added (as defined in the /opt/ca/ext/webserver.ext file). This is the content of the file:
basicConstraints = CA:false nsCertType = server keyUsage = nonRepudiation, digitalSignature, \ keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth nsComment = "web services" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid, issuer:always subjectAltName = @subject_alt_name issuerAltName = issuer:copy nsCaRevocationUrl = http://domain.org/crl/cacrl.crl nsRevocationUrl = http://domain.org/crl/cacrl.crl crlDistributionPoints = @cdp_section [ subject_alt_name ] DNS.1=domain.org DNS.2=www.domain.org DNS.3=altro.domain.org email=copy [ cdp_section ] URI.1=http://domain.org/crl/cacrl.crl
In order to create certificates for all other services, you just need to change appropriately request, key and certificate names.