Attention: All pages of this wiki depend on the pages that come before it, in order as they are listed on the Main Page. Please check for Dependencies.
Please also look at What You Need to Know Before Using This Wiki
Create a Certificate Authority
Jump to navigation
Jump to search
Notes
- You can have a CA that is too large. 8196 bits makes the webdav client fail.
- Instead of multiple certs for multiple sites, you can make one cert and put all served domain names in as subjectaltnames, then point all apache virtualhost configs to one cert
Generate the Computerisms Certificate Authority
- mkdir -p /var/CA/computerisms.com/CA/{certs,crl,newcerts,private}
- cd /var/CA/computerisms.com
- echo 01 > CA/crlnumber
- chmod 700 /var/CA/computerisms.com/CA/private/
- touch /var/CA/computerisms.com/CA/index.txt
- vi /var/CA/computerisms.com/computerisms.ssl.conf
- openssl req -new -newkey rsa:4096 -keyout CA/private/cakey.pem -out careq.pem -config computerisms.ssl.conf
- Choose a very strong password for your CA; fill in values as appropriate for you; when setting common name, choose a name indicating this is a CA, like Computerisms Certificate Authority, use (what will be) the system administrator's email address - like bob.miller@computerisms.com, enter the challenge password and optional company as you will
- openssl ca -create_serial -out CA/cacert.pem -days 3650 -keyfile CA/private/cakey.pem -selfsign -extensions v3_ca_has_san -config computerisms.ssl.conf -infiles careq.pem
- Enter your very strong CA password; examine the output very carefully for typos and incorrect data; if everything checks out pres y/Enter/y/Enter
- rm careq.pem
- cp CA/cacert.pem CA/Computerisms.Certificate.Authority
- cd CA/
- openssl pkcs12 -export -in cacert.pem -inkey private/cakey.pem -certfile cacert.pem -name Computerisms.Certificate.Authority -out Computerisms.Certificate.Authority.p12
- vi /var/CA/computerisms.com/computerisms.ssl.conf
- Find and adjust the [v3_req] section:
[ v3_req ] subjectAltName = DNS:fqdn.computerisms.com ## use this for machines #subjectAltName = email:move ## use this for CA or person basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment ##Use this line for everything except CAs #keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyCertSign, cRLSign ## Use this line for CAs
Install Computerisms Certificate Authority
- cp /var/CA/computerisms.com/CA/Computerisms.Certificate.Authority /usr/local/share/ca-certificates/Computerisms.Certificate.Authority.crt
- update-ca-certificates
Create Certificate for porchlian.computerisms.com
- cd /var/CA/computerisms.com
- sed -i 's/DNS:fqdn.computerisms.com/DNS:porchlian.computerisms.com/' computerisms.ssl.conf
- openssl req -newkey rsa:4096 -keyout newkey.pem -out newreq.pem -config computerisms.ssl.conf
- Choose a fairly strong password for this certificate; enter values appropriate for you; enter a common name of porchlian.computerisms.com; enter (what will be) the administrator's email address - like bob.miller@computerisms.com
- openssl ca -in newreq.pem -out newcert.pem -keyfile ./CA/private/cakey.pem -cert ./CA/cacert.pem -config computerisms.ssl.conf -extfile computerisms.ssl.conf -extensions usr_cert_has_san
- Enter your very strong CA password; examine the certificate carefully for typos and incorrect data; if everything checks out press y/Enter/y/Enter
- mkdir porchlian.computerisms.com
- mv newcert.pem porchlian.computerisms.com/porchlian.computerisms.com.pem
- mv newkey.pem porchlian.computerisms.com/porchlian.computerisms.com.key
- rm newreq.pem
- cd porchlian.computerisms.com
- openssl pkcs12 -export -in porchlian.computerisms.com.pem -inkey porchlian.computerisms.com.key -certfile ../CA/cacert.pem -name porchlian.computerisms.com -out porchlian.computerisms.com.p12
- chmod 640 porchlian.computerisms.com/*.key
Create Certificate for mail.computerisms.com
- cd /var/CA/computerisms.com
- sed -i 's/DNS:porchlian.computerisms.com/DNS:mail.computerisms.com/' computerisms.ssl.conf
- openssl req -newkey rsa:4096 -keyout newkey.pem -out newreq.pem -config computerisms.ssl.conf
- Choose a fairly strong password for this certificate; enter values appropriate for you; enter a common name of mail.computerisms.com; enter (what will be) the administrator's email address - like bob.miller@computerisms.com
- openssl ca -in newreq.pem -out newcert.pem -keyfile ./CA/private/cakey.pem -cert ./CA/cacert.pem -config computerisms.ssl.conf -extfile computerisms.ssl.conf -extensions usr_cert_has_san
- Enter your very strong CA password; examine the certificate carefully for typos and incorrect data; if everything checks out press y/Enter/y/Enter
- mkdir mail.computerisms.com
- mv newcert.pem mail.computerisms.com/mail.computerisms.com.pem
- mv newkey.pem mail.computerisms.com/mail.computerisms.com.key
- rm newreq.pem
- cd mail.computerisms.com/
- openssl rsa -in mail.computerisms.com.key -out mail.computerisms.com.nopw.key
- Enter the fairly strong password for this certificate
- cat mail.computerisms.com.pem mail.computerisms.com.nopw.key >> mail.computerisms.com.crt
- chmod 640 *.crt *.key
Create Certificate for cal.computerisms.com
- cd /var/CA/computerisms.com
- sed -i 's/DNS:mail.computerisms.com/DNS:cal.computerisms.com/' computerisms.ssl.conf
- openssl req -newkey rsa:4096 -keyout newkey.pem -out newreq.pem -config computerisms.ssl.conf
- Choose a fairly strong password for this certificate; enter values appropriate for you; enter a common name of cal.computerisms.com; enter (what will be) the administrator's email address - like bob.miller@computerisms.com
- openssl ca -in newreq.pem -out newcert.pem -keyfile ./CA/private/cakey.pem -cert ./CA/cacert.pem -config computerisms.ssl.conf -extfile computerisms.ssl.conf -extensions usr_cert_has_san
- Enter your very strong CA password; examine the certificate carefully for typos and incorrect data; if everything checks out press y/Enter/y/Enter
- mkdir cal.computerisms.com
- mv newcert.pem cal.computerisms.com/cal.computerisms.com.pem
- mv newkey.pem cal.computerisms.com/cal.computerisms.com.key
- rm newreq.pem
- cd cal.computerisms.com/
- openssl rsa -in cal.computerisms.com.key -out cal.computerisms.com.nopw.key
- Enter the fairly strong password for this certificate
- chmod 640 *.key
Create Certificate for fetch.computerisms.com
- cd /var/CA/computerisms.com
- sed -i 's/DNS:cal.computerisms.com/DNS:fetch.computerisms.com/' computerisms.ssl.conf
- openssl req -newkey rsa:4096 -keyout newkey.pem -out newreq.pem -config computerisms.ssl.conf
- Choose a fairly strong password for this certificate; enter values appropriate for you; enter a common name of fetch.computerisms.com; enter (what will be) the administrator's email address - like bob.miller@computerisms.com
- openssl ca -in newreq.pem -out newcert.pem -keyfile ./CA/private/cakey.pem -cert ./CA/cacert.pem -config computerisms.ssl.conf -extfile computerisms.ssl.conf -extensions usr_cert_has_san
- Enter your very strong CA password; examine the certificate carefully for typos and incorrect data; if everything checks out press y/Enter/y/Enter
- mkdir fetch.computerisms.com
- mv newcert.pem fetch.computerisms.com/fetch.computerisms.com.pem
- mv newkey.pem fetch.computerisms.com/fetch.computerisms.com.key
- rm newreq.pem
- cd fetch.computerisms.com/
- openssl rsa -in fetch.computerisms.com.key -out fetch.computerisms.com.nopw.key
- Enter the fairly strong password for this certificate
- chmod 640 *.key
Create Certificate for files.computerisms.com
- cd /var/CA/computerisms.com
- sed -i 's/DNS:fetch.computerisms.com/DNS:files.computerisms.com/' computerisms.ssl.conf
- openssl req -newkey rsa:4096 -keyout newkey.pem -out newreq.pem -config computerisms.ssl.conf
- Choose a fairly strong password for this certificate; enter values appropriate for you; enter a common name of files.computerisms.com; enter (what will be) the administrator's email address - like bob.miller@computerisms.com
- openssl ca -in newreq.pem -out newcert.pem -keyfile ./CA/private/cakey.pem -cert ./CA/cacert.pem -config computerisms.ssl.conf -extfile computerisms.ssl.conf -extensions usr_cert_has_san
- Enter your very strong CA password; examine the certificate carefully for typos and incorrect data; if everything checks out press y/Enter/y/Enter
- mkdir files.computerisms.com
- mv newcert.pem files.computerisms.com/files.computerisms.com.pem
- mv newkey.pem files.computerisms.com/files.computerisms.com.key
- rm newreq.pem
- cd files.computerisms.com/
- openssl rsa -in files.computerisms.com.key -out files.computerisms.com.nopw.key
- Enter the fairly strong password for this certificate
- chmod 640 *.key
Create Certificate for rt.computerisms.com
- cd /var/CA/computerisms.com
- sed -i 's/DNS:files.computerisms.com/DNS:rt.computerisms.com/' computerisms.ssl.conf
- openssl req -newkey rsa:4096 -keyout newkey.pem -out newreq.pem -config computerisms.ssl.conf
- Choose a fairly strong password for this certificate; enter values appropriate for you; enter a common name of rt.computerisms.com; enter (what will be) the administrator's email address - like bob.miller@computerisms.com
- openssl ca -in newreq.pem -out newcert.pem -keyfile ./CA/private/cakey.pem -cert ./CA/cacert.pem -config computerisms.ssl.conf -extfile computerisms.ssl.conf -extensions usr_cert_has_san
- Enter your very strong CA password; examine the certificate carefully for typos and incorrect data; if everything checks out press y/Enter/y/Enter
- mkdir rt.computerisms.com
- mv newcert.pem rt.computerisms.com/rt.computerisms.com.pem
- mv newkey.pem rt.computerisms.com/rt.computerisms.com.key
- rm newreq.pem
- cd rt.computerisms.com/
- openssl rsa -in rt.computerisms.com.key -out rt.computerisms.com.nopw.key
- Enter the fairly strong password for this certificate
- chmod 640 *.key
Create Certificate for wiki.computerisms.com
- cd /var/CA/computerisms.com
- sed -i 's/DNS:rt.computerisms.com/DNS:wiki.computerisms.com/' computerisms.ssl.conf
- openssl req -newkey rsa:4096 -keyout newkey.pem -out newreq.pem -config computerisms.ssl.conf
- Choose a fairly strong password for this certificate; enter values appropriate for you; enter a common name of wiki.computerisms.com; enter (what will be) the administrator's email address - like bob.miller@computerisms.com
- openssl ca -in newreq.pem -out newcert.pem -keyfile ./CA/private/cakey.pem -cert ./CA/cacert.pem -config computerisms.ssl.conf -extfile computerisms.ssl.conf -extensions usr_cert_has_san
- Enter your very strong CA password; examine the certificate carefully for typos and incorrect data; if everything checks out press y/Enter/y/Enter
- mkdir wiki.computerisms.com
- mv newcert.pem wiki.computerisms.com/wiki.computerisms.com.pem
- mv newkey.pem wiki.computerisms.com/wiki.computerisms.com.key
- rm newreq.pem
- cd wiki.computerisms.com/
- openssl rsa -in wiki.computerisms.com.key -out wiki.computerisms.com.nopw.key
- Enter the fairly strong password for this certificate
- chmod 640 *.key
Create Certificate for ledger.computerisms.com
- cd /var/CA/computerisms.com
- sed -i 's/DNS:wiki.computerisms.com/DNS:ledger.computerisms.com/' computerisms.ssl.conf
- openssl req -newkey rsa:4096 -keyout newkey.pem -out newreq.pem -config computerisms.ssl.conf
- Choose a fairly strong password for this certificate; enter values appropriate for you; enter a common name of ledger.computerisms.com; enter (what will be) the administrator's email address - like bob.miller@computerisms.com
- openssl ca -in newreq.pem -out newcert.pem -keyfile ./CA/private/cakey.pem -cert ./CA/cacert.pem -config computerisms.ssl.conf -extfile computerisms.ssl.conf -extensions usr_cert_has_san
- Enter your very strong CA password; examine the certificate carefully for typos and incorrect data; if everything checks out press y/Enter/y/Enter
- mkdir ledger.computerisms.com
- mv newcert.pem ledger.computerisms.com/ledger.computerisms.com.pem
- mv newkey.pem ledger.computerisms.com/ledger.computerisms.com.key
- rm newreq.pem
- cd ledger.computerisms.com/
- openssl rsa -in ledger.computerisms.com.key -out ledger.computerisms.com.nopw.key
- Enter the fairly strong password for this certificate
- chmod 640 *.key
Create Certificate for nagios.computerisms.com
- cd /var/CA/computerisms.com
- sed -i 's/DNS:ledger.computerisms.com/DNS:nagios.computerisms.com/' computerisms.ssl.conf
- openssl req -newkey rsa:4096 -keyout newkey.pem -out newreq.pem -config computerisms.ssl.conf
- Choose a fairly strong password for this certificate; enter values appropriate for you; enter a common name of nagios.computerisms.com; enter (what will be) the administrator's email address - like bob.miller@computerisms.com
- openssl ca -in newreq.pem -out newcert.pem -keyfile ./CA/private/cakey.pem -cert ./CA/cacert.pem -config computerisms.ssl.conf -extfile computerisms.ssl.conf -extensions usr_cert_has_san
- Enter your very strong CA password; examine the certificate carefully for typos and incorrect data; if everything checks out press y/Enter/y/Enter
- mkdir nagios.computerisms.com
- mv newcert.pem nagios.computerisms.com/nagios.computerisms.com.pem
- mv newkey.pem nagios.computerisms.com/nagios.computerisms.com.key
- rm newreq.pem
- cd nagios.computerisms.com/
- openssl rsa -in nagios.computerisms.com.key -out nagios.computerisms.com.nopw.key
- Enter the fairly strong password for this certificate
- chmod 640 *.key
Create Certificate for pbx.computerisms.com
- cd /var/CA/computerisms.com
- sed -i 's/DNS:nagios.computerisms.com/DNS:pbx.computerisms.com/' computerisms.ssl.conf
- openssl req -newkey rsa:4096 -keyout newkey.pem -out newreq.pem -config computerisms.ssl.conf
- Choose a fairly strong password for this certificate; enter values appropriate for you; enter a common name of pbx.computerisms.com; enter (what will be) the administrator's email address - like bob.miller@computerisms.com
- openssl ca -in newreq.pem -out newcert.pem -keyfile ./CA/private/cakey.pem -cert ./CA/cacert.pem -config computerisms.ssl.conf -extfile computerisms.ssl.conf -extensions usr_cert_has_san
- Enter your very strong CA password; examine the certificate carefully for typos and incorrect data; if everything checks out press y/Enter/y/Enter
- mkdir pbx.computerisms.com
- mv newcert.pem pbx.computerisms.com/pbx.computerisms.com.pem
- mv newkey.pem pbx.computerisms.com/pbx.computerisms.com.key
- rm newreq.pem
- cd pbx.computerisms.com/
- openssl rsa -in pbx.computerisms.com.key -out pbx.computerisms.com.nopw.key
- Enter the fairly strong password for this certificate
- chmod 640 *.key
Create Certificate for listadmin.computerisms.com
- cd /var/CA/computerisms.com
- sed -i 's/DNS:pbx.computerisms.com/DNS:listadmin.computerisms.com/' computerisms.ssl.conf
- openssl req -newkey rsa:4096 -keyout newkey.pem -out newreq.pem -config computerisms.ssl.conf
- Choose a fairly strong password for this certificate; enter values appropriate for you; enter a common name of pbx.computerisms.com; enter (what will be) the administrator's email address - like bob.miller@computerisms.com
- openssl ca -in newreq.pem -out newcert.pem -keyfile ./CA/private/cakey.pem -cert ./CA/cacert.pem -config computerisms.ssl.conf -extfile computerisms.ssl.conf -extensions usr_cert_has_san
- Enter your very strong CA password; examine the certificate carefully for typos and incorrect data; if everything checks out press y/Enter/y/Enter
- mkdir listadmin.computerisms.com
- mv newcert.pem listadmin.computerisms.com/listadmin.computerisms.com.pem
- mv newkey.pem listadmin.computerisms.com/listadmin.computerisms.com.key
- rm newreq.pem
- cd listadmin.computerisms.com/
- openssl rsa -in listadmin.computerisms.com.key -out listadmin.computerisms.com.nopw.key
- Enter the fairly strong password for this certificate
- chmod 640 *.key
Create Certificate for listarchive.computerisms.com
- cd /var/CA/computerisms.com
- sed -i 's/DNS:listadmin.computerisms.com/DNS:listarchive.computerisms.com/' computerisms.ssl.conf
- openssl req -newkey rsa:4096 -keyout newkey.pem -out newreq.pem -config computerisms.ssl.conf
- Choose a fairly strong password for this certificate; enter values appropriate for you; enter a common name of listarchive.computerisms.com; enter (what will be) the administrator's email address - like bob.miller@computerisms.com
- openssl ca -in newreq.pem -out newcert.pem -keyfile ./CA/private/cakey.pem -cert ./CA/cacert.pem -config computerisms.ssl.conf -extfile computerisms.ssl.conf -extensions usr_cert_has_san
- Enter your very strong CA password; examine the certificate carefully for typos and incorrect data; if everything checks out press y/Enter/y/Enter
- mkdir listarchive.computerisms.com
- mv newcert.pem listarchive.computerisms.com/listarchive.computerisms.com.pem
- mv newkey.pem listarchive.computerisms.com/listarchive.computerisms.com.key
- rm newreq.pem
- cd listarchive.computerisms.com/
- openssl rsa -in listarchive.computerisms.com.key -out listarchive.computerisms.com.nopw.key
- Enter the fairly strong password for this certificate
- chmod 640 *.key
Create Certificate for media.computerisms.com
- cd /var/CA/computerisms.com
- sed -i 's/DNS:listarchive.computerisms.com/DNS:media.computerisms.com/' computerisms.ssl.conf
- openssl req -newkey rsa:4096 -keyout newkey.pem -out newreq.pem -config computerisms.ssl.conf
- Choose a fairly strong password for this certificate; enter values appropriate for you; enter a common name of media.computerisms.com; enter (what will be) the administrator's email address - like bob.miller@computerisms.com
- openssl ca -in newreq.pem -out newcert.pem -keyfile ./CA/private/cakey.pem -cert ./CA/cacert.pem -config computerisms.ssl.conf -extfile computerisms.ssl.conf -extensions usr_cert_has_san
- Enter your very strong CA password; examine the certificate carefully for typos and incorrect data; if everything checks out press y/Enter/y/Enter
- mkdir media.computerisms.com
- mv newcert.pem media.computerisms.com/media.computerisms.com.pem
- mv newkey.pem media.computerisms.com/media.computerisms.com.key
- rm newreq.pem
- cd media.computerisms.com/
- openssl rsa -in media.computerisms.com.key -out media.computerisms.com.nopw.key
- Enter the fairly strong password for this certificate
- chmod 640 *.key
Create Certificate for ups.computerisms.com
- cd /var/CA/computerisms.com
- sed -i 's/DNS:media.computerisms.com/DNS:ups.computerisms.com/' computerisms.ssl.conf
- openssl req -newkey rsa:4096 -keyout newkey.pem -out newreq.pem -config computerisms.ssl.conf
- Choose a fairly strong password for this certificate; enter values appropriate for you; enter a common name of ups.computerisms.com; enter (what will be) the administrator's email address - like bob.miller@computerisms.com
- openssl ca -in newreq.pem -out newcert.pem -keyfile ./CA/private/cakey.pem -cert ./CA/cacert.pem -config computerisms.ssl.conf -extfile computerisms.ssl.conf -extensions usr_cert_has_san
- Enter your very strong CA password; examine the certificate carefully for typos and incorrect data; if everything checks out press y/Enter/y/Enter
- mkdir ups.computerisms.com
- mv newcert.pem ups.computerisms.com/ups.computerisms.com.pem
- mv newkey.pem ups.computerisms.com/ups.computerisms.com.key
- rm newreq.pem
- cd ups.computerisms.com/
- openssl rsa -in ups.computerisms.com.key -out ups.computerisms.com.nopw.key
- Enter the fairly strong password for this certificate
- chmod 640 *.key
Create Certificate for dslobby.computerisms.com
- cd /var/CA/computerisms.com
- sed -i 's/DNS:ups.computerisms.com/DNS:dslobby.computerisms.com/' computerisms.ssl.conf
- openssl req -newkey rsa:4096 -keyout newkey.pem -out newreq.pem -config computerisms.ssl.conf
- Choose a fairly strong password for this certificate; enter values appropriate for you; enter a common name of dslobby.computerisms.com; enter (what will be) the administrator's email address - like bob.miller@computerisms.com
- openssl ca -in newreq.pem -out newcert.pem -keyfile ./CA/private/cakey.pem -cert ./CA/cacert.pem -config computerisms.ssl.conf -extfile computerisms.ssl.conf -extensions usr_cert_has_san
- Enter your very strong CA password; examine the certificate carefully for typos and incorrect data; if everything checks out press y/Enter/y/Enter
- mkdir dslobby.computerisms.com
- mv newcert.pem dslobby.computerisms.com/dslobby.computerisms.com.pem
- mv newkey.pem dslobby.computerisms.com/dslobby.computerisms.com.key
- rm newreq.pem
- cd dslobby.computerisms.com/
- openssl rsa -in dslobby.computerisms.com.key -out dslobby.computerisms.com.nopw.key
- grep -A 500 BEGIN dslobby.computerisms.com.pem > dslobby.computerisms.com.crt; dslobby.computerisms.com.nopw.key >> dslobby.computerisms.com.crt
- chmod 640 *.key *.crt
Create Personal Certificates
- cd /var/CA/computerisms.com
- Edit the [ v3_req ] section in computerisms.ssl.conf => comment the subjectAltName for DNS and uncomment subjectAltName for email
- openssl req -newkey rsa:4096 -keyout newkey.pem -out newreq.pem -config computerisms.ssl.conf
- Choose a fairly strong but user-friendly password for this certificate; enter values appropriate for the individual this certificate is being generated for; enter a common name in the format of "Bob Miller"; enter (what will be) the user's email address - like bob.miller@computerisms.com
- openssl ca -in newreq.pem -out newcert.pem -keyfile ./CA/private/cakey.pem -cert ./CA/cacert.pem -config computerisms.ssl.conf -extfile computerisms.ssl.conf -extensions usr_cert_has_san
- Enter your very strong CA password; examine the certificate carefully for typos and incorrect data; if everything checks out press y/Enter/y/Enter
- mkdir BobMiller
- mv newcert.pem BobMiller/bob.miller.pem
- mv newkey.pem BobMiller/bob.miller.key
- rm newreq.pem
- cd BobMiller/
- openssl pkcs12 -export -in bob.miller.pem -inkey bob.miller.key -certfile ../CA/cacert.pem -name bob.miller -out bob.miller.p12
- chmod 640 *.key
Revoking Certificates
- Revoking a mistakenly named certficate:
- cd /var/CA/computerisms.com
- openssl ca -revoke media.was.ob/media.computerisms.com.pem -keyfile ./CA/private/cakey.pem -cert ./CA/cacert.pem -config computerisms.ssl.conf
- ln -s CA/ demoCA
- echo 01 > CA/crlnumber
- openssl ca -gencrl -crldays 3650 -keyfile ./CA/private/cakey.pem -cert ./CA/cacert.pem -out Computerisms.Certificate.Authority.crl
- samba-tool dns add houselian computerisms.com crl A ext.ern.ip.add
- scp Computerisms.Certificate.Authority.crl root@ext.ern.ip.add:/Computerisms/sites/computerisms.com
- Configure the external server to accept an ServerAlias of crl.computerisms.com, and add crl to your external zone.
- NOT REQUIRED:openssl crl -in Computerisms.Certificate.Authority.crl -inform PEM -out Computerisms.Certificate.Authority.crl.der -outform DER