Tech Blog - Here is a simple howto on creating your own CA or Certificate Authority unders Cent OS 5, this howto would also work on other Linux distribution with modification to path where the command could be found, this howto covers creating a certificate authority using OpenSSL and setting up a secure website using Apache with mod_ssl module.
For Cent OS 5, you will need to have Openssl, Apache with mod_ssl module, and Openssl tools(openssl-perl), you can easily serach for this packages using the yum tool,
yum search , make sure that mod_ssl is being Loaded on httpd.conf
Now lets begin with the howto
If you have all the above files installed on Cent OS 5, the path to configuration files below will work for you.
Apache SSL Configuration File -
/etc/httpd/conf.d/ssl.confOpenssl Configuraltion File -
/etc/pki/ssl.confCA.pl - Openssl Perl Script tools -
/etc/pki/tls/miscCreating a new Certificate Authority
$ ./CA.pl -newcaPress Enter to create. - then enter a difficult passphrase do not forget this passphraseFill in your details and provide a sensible name for the CA.ls
Common Name (eg, YOUR name) []: review-ninja.comThis creates a new CA certificate in the directory
/etc/pki/CA. The CA's self-signed certificate is stored in
/etc/pki/CA/cacert.pem and its private key is in
/etc/pki/CA/private/cakey.pem. make sure to secure this files.
Certificate Request
Now you need a server certificate that is signed by your own CA. First, generate a certificate request. Fill in the details and make sure "Common Name" is the hostname of the website.
$ ./CA.pl -newreq Produce a passphrase for the server certificate. Common Name (eg, name) []: www.hostname.comThe certificate request are in newreq.pem.
Now sign the request as the root CA,
$ ./CA.pl -sign Enter the passphrase for the root CA. Enter the passphrase for the server certificate.The server certificate is placed in newcert.pem. The private key is saved in newkey.pem.
Make sure the private key is never world readable. Secure the PEM files including newreq.pem for later use and make sure they are kept private..
$ chmod 0400 newkey.pemAdding Certificate to your Apache ssl.conf
Look for the following lines under /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /pathto/newcert.pemSSLCertificateKeyFile /pathto/newkey.pem
SSLCACertificateFile /pathto/cacert.pemMake sure to Uncomment the following lines as well
SSLVerifyClient require
SSLVerifyDepth 10Then restart Apache /etc/init.d/httpd restart it will ask you to enter the passphrase you use for the CA
Creating Client Certificate
You can recreate a newreq.pem and newkey.pem, or just use the ones you have generated before, now we will combine newreq.pem and newkey.pem and convert them into the PKCS#12 format that can be imported to our browser..
$ cat newcert.pem newkey.pem >> signing.pem $ openssl pkcs12 -in signing.pem -out signing.p12 -clcerts -keysig -exportEnter the Passphrase then Enter a password for export. When importing the the p12 file to your browser you will be asked for it again.
Now you should see a file named signing.p12, download it to your desktop then import it to your browser, then thats it.
If you wanted to generate ceritificate for a lot of individual or make a script of it you can use
$ openssl pkcs12 -passin pass:yourpassphrase -in signing.pem -passout pass:yourexportpassword -out signing.p12 -clcerts -keysig -exportBelow are some howto on troubleshooting
Tech Blog - if you need to clear sendmail queue the following is some very usefull commands for doing the job
