Cloud plumber, bit wrangler, solution engineer, hockey nut.
Makefile-based PKI Management
Using a couple of seed files, you can easily get started managing your own PKI for your network. You need to have OpenSSL and Make installed on the system you are working with.
First, pick a directory to store your certificates in. I am going to use /etc/pki/example.com since this is where all the other system SSL stuff is stored and for you SELinux people, will already have the right contexts. cd into that directory and create the Makefile:
This lets us perform two actions (targets): Issue and Revoke. Issue will create a new host certificate from your CA. Revoke will expire an already-existing certificate. This is mainly used for renewal since you need to revoke then issue.
Next we will need a configuration directory and some basic files:
This will generate a CA certificate based on your settings file and will last for 5 years, after which you will need to renew it.
Enter a certificate password when prompted. You do not need to specify a Common Name (CN) as asked later in the process. Ensure that the other field defaults are correct, as they came from your openssl.cnf file and are needed to match in other certificates.
1234567891011121314151617181920212223
[root@gmcsrvx1 config]# openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout CA/example-ca.key -out CA/example-ca.crt -days 1825Generating a 2048 bit RSA private key..................................................................................................+++writing new private key to 'CA/example-ca.key'Enter PEM pass phrase:Verifying - Enter PEM pass phrase:-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Organization Name (company) [Example Corp]:Organizational Unit Name (department, division) [System Engineering]:Email [root@example.com]:Locality Name (city) [Rochester]:State or Province Name (full name) [New York]:Country Name (2 letter code) [US]:Common Name (full hostname) []:[root@gmcsrvx1 config]#
Unfortunately this process creates the private key file to be world readable. This is extremely bad. Fix it. Also ensure that the public key is readable by all. It is supposed to be.
Now back up one directory (back to the working directory you started at). I usually make a symlink to the CA public key here so you can easily reference it.
You can now issue SSL certificates by typing make DEST=hostname where hostname is the name of the server you are going to issue to.
[root@gmcsrvx1 example.com]# make DEST=gmcsrvx1mkdir -p gmcsrvx1openssl req -new -nodes -out gmcsrvx1/req.pem -config config/openssl.cnfGenerating a 2048 bit RSA private key..............................................+++......................................+++writing new private key to 'host-key.pem'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Organization Name (company) [Example Corp]:Organizational Unit Name (department, division) [System Engineering]:Email [root@example.com]:Locality Name (city) [Rochester]:State or Province Name (full name) [New York]:Country Name (2 letter code) [US]:Common Name (full hostname) []:gmcsrvx1.example.commv host-key.pem gmcsrvx1/openssl ca -out gmcsrvx1/host-cert.pem -config config/openssl.cnf -infiles gmcsrUsing configuration from config/openssl.cnfEnter pass phrase for /etc/pki/example.com/config/CA/example-ca.key:Check that the request matches the signatureSignature okThe Subject's Distinguished Name is as followsorganizationName :PRINTABLE:'Example Corp'organizationalUnitName:PRINTABLE:'System Engineering'localityName :PRINTABLE:'Rochester'stateOrProvinceName :PRINTABLE:'New York'countryName :PRINTABLE:'US'commonName :PRINTABLE:'gmcsrvx1.example.com'Certificate is to be certified until May 1 18:12:03 2013 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updatedif [ gmcsrvx1 = mail -o gmcsrvx1 = mail/ ]; then cp gmcsrvx1/host-cert.pem gmcsr.pem; fichmod go= gmcsrvx1/host-key.pemif [ -e gmcsrvx1/host-combined.pem ]; then chmod go= gmcsrvx1/host-combined.pem;[root@gmcsrvx1 example.com]#
If you look in the directory it made for you (the hostname you specified) you will find the private and public keys for the server.
12345
[root@gmcsrvx1 example.com]# ls -l gmcsrvx1/total 12-rw-r--r--. 1 root root 3997 May 1 14:12 host-cert.pem-rw-------. 1 root root 1704 May 1 14:12 host-key.pem-rw-r--r--. 1 root root 1171 May 1 14:12 req.pem
You can revoke this certificate using the makefile as well:
1234567
[root@gmcsrvx1 example.com]# make revoke SOURCE=gmcsrvx1openssl ca -config config/openssl.cnf -revoke gmcsrvx1/host-cert.pemUsing configuration from config/openssl.cnfEnter pass phrase for /etc/pki/example.com/config/CA/example-ca.key:Revoking Certificate 01.Data Base Updated[root@gmcsrvx1 example.com]#
There you go, yet another useful service to have around for dealing with your network. Raw files used above are available in the Archive. Now back to Webauth with me…