Next Steps

Now we have the infrastructure available, we can start signing requests. There are two ways a certificate request can come to be signed by your CA. The first is that you generate one yourself. The second method is that the trading partner will send you a request to be signed.

Procedure 2.2. Generating a Certificate

  1. Generate a Certificate Request

    Create our own request for this example. First, we change to our CAs directory then create a certificate request:

    # cd /etc/pki/CA
    # openssl req -nodes -new -keyout requests/private.key \
                -out requests/request.csr
                        

    The -nodes option is needed so that the private key is not protected with a passphrase. If you do not intend to use the certificate for server authentication, you should not include it in the above command.

  2. You will now be prompted for certificate information. Answer the following questions:

    Country Name (2 letter code) [US]:
    State or Province Name (full name) [State]:
    Locality Name (eg, city) [City]:
    Organization Name (eg, company) [Company Name]:
    Organizational Unit Name (eg, section) [Security Zone]:
    Common Name (eg, your name or your server’s hostname) [FQDN]:
    Email Address []:
    A challenge password []:
    An optional company name []:
                            
                        

    The Organizational Unit Name has to match the entry we used to set up the CA certificate. The Common Name (CN) is the info that uniquely distinguishes your service, so be sure that you type it correctly.

  3. When prompted for some extra attributes (challenge password, optional company name) just hit the [Enter] key.

    Two files are created:

    • ./requests/request.csr - this is the certificate request.

    • ./requests/private.key - this is the private key, which is not protected with a passphrase.

  4. Set restrictive permissions on the private key. Only root or the user that is used to run the server should be able to read it. For example:

    # chown root.root /etc/pki/CA/requests/private.key
    # chmod 0400 /etc/pki/CA/requests/private.key
                        
  5. Review the Certificate Request

    Before we sign any requests we should review the request and make sure we are happy to sign it. The important bit is the CN= section as that is the bit that the client software will check.

    # cd /etc/pki/CA/
    # openssl req -in ./requests/request.csr -noout -text
                        

    We need to be certain that the person (emailAddress) requesting this certificate controls the host (CN) being signed. When we are happy with the details in the request we can proceed. Also look at the countryName and organizationName they need to match the settings in you CA.

  6. Sign the Certificate Request

    Now we are going to sign the certificate request and generate the server’s certificate.

    # cd /etc/pki/CA/
                        
  7. Then we sign the certificate request:

    # cd /etc/pki/CA/
    # openssl ca -batch -config conf/openssl.cnf \
            -in requests/request.csr -out requests/request.cert
                        
                        

    Two new files are created:

    • requests/request.cert - this is the server’s certificate, which can be made available publicly.

    • certs/##.pem - This is exactly the same certificate, but with the certificate’s serial number as a filename. This is your record of which keys you have signed

  8. You can now delete the certificate request (server.csr). It is no longer needed:

    # rm -f /etc/pki/CA/requests/request.csr
                        
  9. And transfer the ./requests/request.cert file back to the requester.

You can see the certificate’s info with the following:

# openssl x509 -subject -issuer -enddate -noout -in ./requests/request.cert
            

And verify that the certificate is valid for server authentication with the following:

# openssl verify -purpose sslserver -CAfile ./public/myPub.pem \
         ./requests/request.cert
            

If you do not want a certificate to be valid any more, you have to revoke it. This is done with the command:

# cd /etc/pki/CA
# openssl ca -config conf/openssl.cnf -revoke certs/XX.crt
            

Where XX is the certificate serial number you want to revoke.

Then you should generate a new CRL (Certificate Revocation List):

# cd /etc/pki/CA 
# openssl ca -config conf/openssl.cnf -gencrl -out crl/list.crl
                
            

The CRL file is crl/list.crl.

Your CAs certificate and your servers’ certificates should be distributed to those who trust you so they can deploy them in their client software (web browsers, ftp clients, email clients etc). The CRL should also be published.