AXISHK
asked on
Install openssl
Where can I download the openssl for my redhat ?
Any step by step guideline on how to setup it up ?
Tks
Any step by step guideline on how to setup it up ?
Tks
Here are few topics to create CA, CRL, Revoke Certificate and verify certificate.
--------------------------
To create Certificate Authority :
Create a Certificate Authority (CA)
Change your working directory to /etc/pki/CA
cd /etc/pki/CA
Create a certificate authority good for ten years
openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout private/ca.key -out certs/ca.crt -days 3650
Enter PEM pass phrase: $password
Re-Enter PEM pass phrase: $password
Country Name: $country
State or Province Name: $state
Locality Name: $city
Organization Name: $company
Organizational Unit Name: $department = Certificate Authority
Common Name: ca.$domain
Email Address: ca@$domain
Restrict access to the private key so that only root can read it
chmod 0400 private/ca.key
--------------------------
Create a Certificate Request (CSR)
Change your working directory to /etc/pki/CA
cd /etc/pki/CA
Create a certificate request good for one year
openssl req -config openssl.cnf -new -nodes -keyout private/$domain.key -out $domain.csr -days 365
Country Name: $country
State or Province Name: $state
Locality Name: $city
Organization Name: $company
Organizational Unit Name: $department = Secure Web Server
Common Name: $url
Email Address: $email
Challenge password: [ENTER]
Optional company name: [ENTER]
Restrict access to the private key so that only root and apache can read it
chown root:apache private/$domain.key
chmod 0440 private/$domain.key
Two files are created upon completion of these instructions. $domain.key is generated and put into the private folder. This is a private key file specfic to the domain that the certificate request was created for. $domain.csr is generated and put into the CA folder. This is a certificate request file and can be used to generate a certificate specific to the domain the certificate request was created for.
Sign a Certificate Request (CSR)
Change your working directory to /etc/pki/CA
cd /etc/pki/CA
Sign a certificate request
openssl ca -config openssl.cnf -policy policy_anything -out certs/$domain.crt -infiles $domain.csr
Enter the ca.key password: $password
Sign the certificate: y
1 out of 1 certificate requests certified, commit: y
Delete the certificate request
rm -f $domain.csr
Two files are created upon completion of these instructions. $domain.crt is created and put into the certs folder. This is a certificate file specfic to the domain that the certificate request was created for. $cert_number.pem is generated and put into the newcerts folder. This is an X.509 file containing both the $domain.key and $domain.crt file information.
--------------------------
Create a Certificate Revocation List
Generate a new Certificate Revocation List
openssl ca -config openssl.cnf -gencrl -out crl/ca.crl
Enter pass phrase for ./private/ca.key: $password
--------------------------
Revoke Certificate
Revoke a Certificate
openssl ca -config openssl.cnf -revoke certs/$domain.crt
Enter pass phrase for ./private/ca.key: $password
--------------------------
Verify Certificate
Verify the subject and issuer of a certificate
openssl x509 -subject -issuer -enddate -noout -in certs/$domain.crt
Verify all content of a certificate
openssl x509 -in certs/$domain.crt -noout -text
Verify that the certificate is valid for server authentication
openssl verify -purpose sslserver -CAfile certs/ca.crt certs/$domain.crt
--------------------------
To create Certificate Authority :
Create a Certificate Authority (CA)
Change your working directory to /etc/pki/CA
cd /etc/pki/CA
Create a certificate authority good for ten years
openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout private/ca.key -out certs/ca.crt -days 3650
Enter PEM pass phrase: $password
Re-Enter PEM pass phrase: $password
Country Name: $country
State or Province Name: $state
Locality Name: $city
Organization Name: $company
Organizational Unit Name: $department = Certificate Authority
Common Name: ca.$domain
Email Address: ca@$domain
Restrict access to the private key so that only root can read it
chmod 0400 private/ca.key
--------------------------
Create a Certificate Request (CSR)
Change your working directory to /etc/pki/CA
cd /etc/pki/CA
Create a certificate request good for one year
openssl req -config openssl.cnf -new -nodes -keyout private/$domain.key -out $domain.csr -days 365
Country Name: $country
State or Province Name: $state
Locality Name: $city
Organization Name: $company
Organizational Unit Name: $department = Secure Web Server
Common Name: $url
Email Address: $email
Challenge password: [ENTER]
Optional company name: [ENTER]
Restrict access to the private key so that only root and apache can read it
chown root:apache private/$domain.key
chmod 0440 private/$domain.key
Two files are created upon completion of these instructions. $domain.key is generated and put into the private folder. This is a private key file specfic to the domain that the certificate request was created for. $domain.csr is generated and put into the CA folder. This is a certificate request file and can be used to generate a certificate specific to the domain the certificate request was created for.
Sign a Certificate Request (CSR)
Change your working directory to /etc/pki/CA
cd /etc/pki/CA
Sign a certificate request
openssl ca -config openssl.cnf -policy policy_anything -out certs/$domain.crt -infiles $domain.csr
Enter the ca.key password: $password
Sign the certificate: y
1 out of 1 certificate requests certified, commit: y
Delete the certificate request
rm -f $domain.csr
Two files are created upon completion of these instructions. $domain.crt is created and put into the certs folder. This is a certificate file specfic to the domain that the certificate request was created for. $cert_number.pem is generated and put into the newcerts folder. This is an X.509 file containing both the $domain.key and $domain.crt file information.
--------------------------
Create a Certificate Revocation List
Generate a new Certificate Revocation List
openssl ca -config openssl.cnf -gencrl -out crl/ca.crl
Enter pass phrase for ./private/ca.key: $password
--------------------------
Revoke Certificate
Revoke a Certificate
openssl ca -config openssl.cnf -revoke certs/$domain.crt
Enter pass phrase for ./private/ca.key: $password
--------------------------
Verify Certificate
Verify the subject and issuer of a certificate
openssl x509 -subject -issuer -enddate -noout -in certs/$domain.crt
Verify all content of a certificate
openssl x509 -in certs/$domain.crt -noout -text
Verify that the certificate is valid for server authentication
openssl verify -purpose sslserver -CAfile certs/ca.crt certs/$domain.crt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have download the package from the website. Where should I start ? Click "make", correct ??
refer to the instruction : http://www.linuxfromscratch.org/blfs/view/svn/postlfs/openssl.html
What does "\" mean ?
./config --prefix=/usr \
--openssldir=/etc/ssl \
--libdir=lib \
shared \
zlib-dynamic &&
make
refer to the instruction : http://www.linuxfromscratch.org/blfs/view/svn/postlfs/openssl.html
What does "\" mean ?
./config --prefix=/usr \
--openssldir=/etc/ssl \
--libdir=lib \
shared \
zlib-dynamic &&
make
ASKER
I have run the following command to install but it doesn't install properly...
./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib shared zlib-dynamic
make
make MANDIR=/usr/share/man MANSUFFIX=ssl install &&
install -dv -m755 /usr/share/doc/openssl-1.0
cp -vfr doc/* /usr/share/doc/openssl-1.0
./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib shared zlib-dynamic
make
make MANDIR=/usr/share/man MANSUFFIX=ssl install &&
install -dv -m755 /usr/share/doc/openssl-1.0
cp -vfr doc/* /usr/share/doc/openssl-1.0
Just do "yum install openssl" from a terminal as root.
ASKER
Tks
How to install OpenSSL on CentOS/ RedHat Linux
Install OpenSSL
yum install openssl
Note: This is typically installed on CentOS by default.
How to configure OpenSSL on CentOS/ RedHat Linux
Change your working directory to /etc/pki/CA
cd /etc/pki/CA
Create a foloder to hold the Certificates
mkdir certs
Create a folder to hold the Certificate Revocation List
mkdir crl
Create a folder to hold the Server Certificates in PEM (unencrypted) format
mkdir newcerts
Create a file that holds the database of certificates
touch index.txt
Create a file that holds the next certificate serial number
echo '01' > serial
Create a file that holds the next Certificate Revocation List serial number
echo '01' > crlnumber
Make a copy the systems default openssl configuration file for our use
cp /etc/pki/tls/openssl.cnf openssl.cnf
Edit the /etc/pki/CA/openssl.cnf file making the following changes
Change line 37
from dir = ../../CA # Where everything is kept
to dir = . # Where everything is kept
Change line 45
from certificate = $dir/cacert.pem # The CA certificate
to certificate = $dir/certs/ca.crt # The CA certificate
Change line 50
from private_key = $dir/private/cakey.pem# The private key
to private_key = $dir/private/ca.key # The private key
Make the /etc/pki/CA/openssl.cnf file not world readable
chmod 0600 openssl.cnf