{"id":67,"date":"2010-12-01T20:58:43","date_gmt":"2010-12-01T20:58:43","guid":{"rendered":"http:\/\/192.168.50.22\/index.php\/2010\/12\/01\/openssl\/"},"modified":"2026-03-17T21:21:49","modified_gmt":"2026-03-18T01:21:49","slug":"openssl","status":"publish","type":"post","link":"https:\/\/smegnl.medina.oh.us\/?p=67","title":{"rendered":"OpenSSL"},"content":{"rendered":"

How to configure OpenSSL on Fedora 14 (assuming you did a yum install openssl)<\/strong><\/span><\/span><\/h2>\n

Creating the necessary directories<\/strong><\/span><\/span><\/h2>\n

First of all we will create a directory tree where all certificate stuff will be kept. Fedora\u2019s default directory is \/etc\/pki\/tls\/. So, as root, we create our own directories (I cheated and used the GUI in SSh, but for you hardcore peeps):<\/span><\/p>\n

# mkdir -m 0755 \/etc\/pki\/CA\/support <\/em>
\n<\/span><\/p>\n

And then we create our CA\u2019s directory tree:<\/span><\/p>\n

# mkdir -m 0755 \\<\/em><\/span><\/p>\n

\/etc\/pki\/CA\/support \\<\/em><\/span><\/p>\n

\/etc\/pki\/CA\/support\/private \\<\/em><\/span><\/p>\n

\/etc\/pki\/CA\/support\/certs \\<\/em><\/span><\/p>\n

\/etc\/pki\/CA\/support\/newcerts \\<\/em><\/span><\/p>\n

\/etc\/pki\/CA\/support\/crl<\/em><\/span><\/p>\n

    \n
  • support is our Certificate Authority\u2019s directory.<\/span><\/li>\n
  • support\/certs directory is where our server certificates will be placed.<\/span><\/li>\n
  • support\/newcerts directory is where openssl puts the created certificates in PEM (unencrypted) format and in the form cert_serial_number.pem (eg 07.pem). Openssl needs this directory, so we create it.<\/span><\/li>\n
  • support\/crl is where our certificate revokation list is placed.<\/span><\/li>\n
  • support\/private is the directory where our private keys are placed. Be sure that you set restrictive permissions to all your private keys so that they can be read only by root, or the user with whose priviledges a server runs. If anyone steals your private keys, then things get really bad.<\/span><\/li>\n<\/ul>\n

    Initial openssl configuration<\/strong><\/span><\/span><\/p>\n

    We are going to copy the default openssl configuration file (openssl.cnf) to our CA\u2019s directory (support). In Fedora, this file exists in \/etc\/pki\/tls. So, we copy it to our CA\u2019s dir.<\/span><\/p>\n

    This file does not need to be world readable, so we change its attributes:<\/span><\/p>\n

    # chmod 0600 \/etc\/pki\/CA\/support\/openssl.cnf<\/em><\/span><\/p>\n

    We also need to create two other files. This file serves as a database for openssl:<\/span><\/p>\n

    # touch \/etc\/pki\/CA\/support\/index.txt<\/em><\/span><\/p>\n

    The following file contains the next certificate\u2019s serial number. Since we have not created any certificates yet, we set it to “01”:<\/span><\/p>\n

    # echo ’01’ > \/etc\/pki\/CA\/support\/serial<\/em><\/span><\/p>\n

    Here is a small legend with file extensions we will use for the created files and their meaning. All files that will be created will have one of these extensions:<\/span><\/p>\n

      \n
    • KEY \u2013 Private key (Restrictive permissions should be set on this)<\/span><\/li>\n
    • SR \u2013 Certificate Request (This will be signed by our CA in order to create the server certificates. Afterwards it is not needed and can be deleted)<\/span><\/li>\n
    • CRT \u2013 Certificate (This can be publicly distributed)<\/span><\/li>\n
    • PEM \u2013 We will use this extension for files that contain both the Key and the server Certificate (Some servers need this). Permissions should be restrictive on these files.<\/span><\/li>\n
    • CRL \u2013 Certificate Revokation List (This can be publicly distributed)<\/span><\/li>\n<\/ul>\n


      \n<\/span><\/p>\n

      Create the CA Certificate and Key<\/strong><\/span><\/span><\/p>\n

      Now, that all initial configuration is done, we may create a self-signed certificate, that will be used as our CA\u2019s certificate. In other words, we will use this to sign other certificate requests.<\/span><\/p>\n

      Change to our CA\u2019s directory. This is where we should issue all the openssl commands because here is our openssl\u2019s configuration file (openssl.cnf that we coppied). As root:<\/span><\/p>\n

      # cd \/etc\/pki\/CA\/support\/<\/em><\/span><\/p>\n

      And then create your CA\u2019s Certificate and Private Key. As root:<\/span><\/p>\n

      # openssl req -new -x509 -extensions v3_ca -keyout private\/myca.key -out certs\/myca.crt -days 1825<\/em><\/span><\/p>\n

      This creates a self-signed certificate with the default CA extensions which is valid for 5 years. You will be prompted for a passphrase for your CA\u2019s private key. Be sure that you set a strong passphrase. Then you will need to provide some info about your CA. Fill in whatever you like.<\/span><\/p>\n

      Two files are created:<\/span><\/p>\n

        \n
      • certs\/myca.crt \u2013 This is your CA\u2019s certificate and can be publicly available and of course world readable.<\/span><\/li>\n
      • private\/myca.key \u2013 This is your CA\u2019s private key. Although it is protected with a passphrase you should restrict access to it, so that only root can read it:<\/span><\/li>\n<\/ul>\n

        # chmod 0400 \/etc\/pki\/CA\/support\/private\/myca.key<\/em><\/span><\/p>\n

        More openssl configuration (mandatory)<\/span><\/span><\/h4>\n

        Because we use a custom directory for our certificates\u2019 management, some modifications to \/etc\/pki\/CA\/support\/openssl.cnf<\/strong> are necessary. Open it in your favorite text editor as root and find the following part (around line 35):<\/span><\/p>\n

        You should modify the following settings in order to coform to our custom directory and our custom CA key and certificate:<\/span><\/p>\n

        [ CA_default ]\ndir     = ..\/..\/CA      # Where everything is kept\ndir     = <\/strong>.<\/strong><\/strong>                # <\/strong><--CHANGE TO THIS<\/strong><\/strong><\/em>\ncerts       = $dir\/certs\ncrl_dir     = $dir\/crl\ndatabase    = $dir\/index.txt\n#unique_subject = no\n\nnew_certs_dir   = $dir\/newcerts\n\ncertificate = $dir\/cacert.pem   # The CA certificate\ncertificate = $dir\/<\/strong>certs\/myca.crt<\/strong><\/strong>   # <\/strong><--CHANGE TO THIS<\/strong><\/strong><\/em>\nserial      = $dir\/serial\n#crlnumber  = $dir\/crlnumber\n\ncrl     = $dir\/crl.pem\nprivate_key = $dir\/private\/cakey.pem    # The private key\nprivate_key = $dir\/private\/<\/strong>myca.key<\/strong><\/strong>    # <\/strong><--CHANGE TO THIS<\/strong><\/strong><\/em><\/span><\/pre>\n
        Generate a Certificate Request<\/span><\/span><\/h5>\n
        First, we change to our CA\u2019s directory:<\/span><\/p>\n
        # cd \/etc\/pki\/CA\/support\/<\/span><\/em><\/pre>\n
        Then we create the certificate request:<\/span><\/p>\n
        # openssl req -new -nodes -keyout private\/server.key -out server.csr -days 365<\/span><\/em><\/pre>\n
        The –<\/strong>nodes option is needed so that the private key is not protected with a passphrase. If you do not intend to use the certificate for server authentication, you should not include it in the above command.
        \nYou can customize the number of days you want this certificate to be valid for.<\/span><\/p>\n
        You will be prompted for the certificate\u2019s info.<\/span><\/p>\n
        The Common Name (CN)<\/strong> is the info that uniquely distinguishes your service, so be sure that you type it correctly.
        \nWhen prompted for some extra attributes (challenge password, optional company name) just hit the [Enter] key.<\/span><\/p>\n
        Two files are created:<\/span><\/p>\n
          \n
        • server.csr<\/strong> \u2013 \tthis is the certificate request.<\/span><\/li>\n
        • private\/server.key<\/strong> \u2013 this is the private \tkey, which is not protected with a passphrase.<\/span><\/li>\n<\/ul>\n
          Sign the Certificate Request<\/span><\/span><\/h5>\n
          Now we are going to sign the certificate request and generate the server\u2019s certificate.<\/span><\/p>\n
          First, we change to our CA\u2019s directory:<\/span><\/p>\n
          # cd \/etc\/pki\/CA\/support<\/span><\/em><\/pre>\n
          Then we sign the certificate request:<\/span><\/p>\n
          # openssl ca -config openssl.cnf -out certs\/server.crt -infiles server.csr<\/span><\/em><\/pre>\n
          You will need to supply the CA\u2019s private key in order to sign the request. You can check the openssl.cnf file about what policy_anything<\/strong> means. In short, the fields about the Country, State or City is not required to match those of your CA\u2019s certificate.<\/span><\/p>\n
          After all this is done two new files are created:<\/span><\/p>\n
            \n
          • certs\/server.crt<\/strong> \u2013 this is the server\u2019s certificate, which can be made available \tpublicly.<\/span><\/li>\n
          • newcerts\/01.pem<\/strong> \u2013 This is exactly the same \tcertificate, but with the certificate\u2019s serial number as a \tfilename. It is not needed.<\/span><\/li>\n<\/ul>\n
            You can now delete the certificate request (server.csr). It\u2019s no longer needed:<\/span><\/p>\n
            # rm -f \/etc\/pki_jungle\/myCA\/server.csr<\/span><\/em><\/pre>\n
            And verify that the certificate is valid for server authentication with the following:<\/span><\/p>\n
            # openssl verify -purpose sslserver -CAfile \/etc\/pki\/CA\/support\/certs\/myca.crt \n\/etc\/pki\/CA\/support\/certs\/server.crt<\/em>\n<\/span><\/pre>\n","protected":false},"excerpt":{"rendered":"
            How to configure OpenSSL on Fedora 14 (assuming you did a yum install openssl) Creating the necessary directories First of all we will create a directory tree where all certificate stuff will be kept. Fedora\u2019s default directory is \/etc\/pki\/tls\/. So, as root, we create our own directories (I cheated and used the GUI in SSh, […]<\/p>\n","protected":false},"author":1,"featured_media":3014,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-67","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-figured-it-out"],"_links":{"self":[{"href":"https:\/\/smegnl.medina.oh.us\/index.php?rest_route=\/wp\/v2\/posts\/67","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/smegnl.medina.oh.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/smegnl.medina.oh.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/smegnl.medina.oh.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/smegnl.medina.oh.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=67"}],"version-history":[{"count":0,"href":"https:\/\/smegnl.medina.oh.us\/index.php?rest_route=\/wp\/v2\/posts\/67\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/smegnl.medina.oh.us\/index.php?rest_route=\/wp\/v2\/media\/3014"}],"wp:attachment":[{"href":"https:\/\/smegnl.medina.oh.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=67"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/smegnl.medina.oh.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=67"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/smegnl.medina.oh.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=67"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}