Securing-Optimizing-RH-Linux-1_2_291
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca
© Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ®
291
............................................+++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
Please backup this ca.key file and remember the pass-phrase you had to enter at a secure
location.
1.4 Create a self-signed (CA) certificate (x509 structure) with the RSA key of the CA.
[root@deep ssl]# openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Using configuration from /etc/ssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CA]:
State or Province Name (full name) [Quebec]:
Locality Name (eg, city) [Montreal]:
Organization Name (eg, company) [Open Network Architecture]:
Organizational Unit Name (eg, section) [Internet Department]:CA Marketing
Common Name (eg, YOUR name) [www.openarch.com]:
Email Address [admin@openarch.com]:
[root@deep ssl]# mv server.key private/
[root@deep ssl]# mv ca.key private/
[root@deep ssl]# mv ca.crt certs/
NOTE: The req command creates a self-signed certificate when the -x509 switch is used.
1.5 Signing a certificate request. (We create and use our own Certificate Authority (CA))
Prepare a script for signing which is needed because the openssl ca'' command has some
strange requirements and the default OpenSSL config doesn't allow one easily to use openssl
ca'' directly. So a script named sign.sh is distributed with the floppy disk under openssl directory.
Use this script for signing.
Now you can use this CA to sign server CSR's in order to create real SSL Certificates for use
inside an Apache Webserver (assuming you already have a server.csr at hand):
[root@deep ssl]# /usr/bin/sign.sh server.csr
CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName
:PRINTABLE:'CA'
stateOrProvinceName
:PRINTABLE:'Quebec'
localityName
:PRINTABLE:'Montreal'
organizationName :PRINTABLE:'Open Network Architecture'
organizationalUnitName
:PRINTABLE:'Internet Department'
commonName :PRINTABLE:'www.openarch.com'
emailAddress
:IA5STRING:'admin@openarch.com'