Thursday, March 7, 2024

RHEL/Rocky Linux create root CA server

 

Introduction

This document describes the configuring Custom CA on RHEL/Rocky Linux system.

 

Prerequisites

 

Requirements

recommends that you have knowledge of these topics:

  • Digital signatures and digital certificates
  • Certificate issuance process by Certificate Authority (CA) organization

Components Used

The information in this document is based on these software and hardware versions:

    • Red Hat Enterprise Linux 9.3 (Plow)
    • openssl.x86_64                 1:3.0.7-24.el9 

    Configuration


    Step 1. Create Folder


    [root@ns1 pki]#  mkdir -p /etc/pki/CA/private

    Step 2. Create private key


    [root@ns1 CA]# openssl genrsa -aes256 -out /etc/pki/CA/private/cakey.pem 2048
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:
    [root@ns1 CA]# 

    Step 3. Create root CA certificate


    [root@ns1 CA]#  openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3660
    Enter pass phrase for /etc/pki/CA/private/cakey.pem:
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:US
    State or Province Name (full name) []:California
    Locality Name (eg, city) [Default City]:San Francisco
    Organization Name (eg, company) [Default Company Ltd]:google Systems, Inc.
    Organizational Unit Name (eg, section) []:Technical Assistance Center          
    Common Name (eg, your name or your server's hostname) []:ca.gc.google.com
    Email Address []:
    [root@ns1 CA]# 
    [root@ns1 CA]# ls
    cacert.pem  private
    [root@ns1 CA]# 

    Step 4. Create index and serial


    [root@ns1 CA]# touch /etc/pki/CA/index.txt
    [root@ns1 CA]# echo 01 > /etc/pki/CA/serial
    [root@ns1 CA]# mkdir  /etc/pki/CA/newcerts
    [root@ns1 CA]# echo 01 > /etc/pki/CA/crlnumber

    Step 5. Modify openssl config


    [root@ns1 CA]# vim /etc/pki/tls/openssl.cnf
    #policy          = policy_match
    policy          = policy_anything

    Step 6. add ext file


    [root@localhost ~]# cat https.ext 
    subjectAltName=@SubjectAlternativeName
    [ SubjectAlternativeName ]
    DNS.1 = dlc-aci06-apic1.google.com
    DNS.2 = dlc-aci06-apic2.google.com
    DNS.3 = dlc-aci06-apic3.google.com
    [root@localhost ~]# 

    step 7. Certificate issuance process 

    [root@localhost ~]# 
    [root@ns1 ~]# openssl ca -in test.csr -out test.crt -ext https.ext
    Using configuration from /etc/pki/tls/openssl.cnf
    Enter pass phrase for /etc/pki/CA/private/cakey.pem:
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number: 1 (0x1)
            Validity
                Not Before: Mar  7 08:30:04 2024 GMT
                Not After : Mar  7 08:30:04 2025 GMT
            Subject:
                countryName               = US
                stateOrProvinceName       = CA
                organizationName          = google Team
                organizationalUnitName    = TAC
                commonName                = dlc-aci06-apic1.google.com
            X509v3 extensions:
                X509v3 Basic Constraints: 
                    CA:FALSE
                X509v3 Subject Key Identifier: 
                    79:5B:DD:03:BA:B1:D3:DC:DE:A5:CC:2C:1E:97:9C:D4:B4:03:7F:80
                X509v3 Authority Key Identifier: 
                    51:C7:28:92:57:8E:81:4A:81:04:6E:84:33:2A:81:95:06:B0:0A:83
    Certificate is to be certified until Mar  7 08:30:04 2025 GMT (365 days)
    Sign the certificate? [y/n]:y


    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
    [root@ns1 ~]# 


    setp8: 

    [root@ns1 ~]# openssl ca -revoke test.crt 
    Using configuration from /etc/pki/tls/openssl.cnf
    Enter pass phrase for /etc/pki/CA/private/cakey.pem:
    Revoking Certificate 01.
    Data Base Updated
    [root@ns1 ~]# 

    setp 9:

    [root@ns1 ~]# cat /etc/pki/CA/index.txt
    R       250307083004Z   240307083510Z   01      unknown /C=US/ST=CA/O=Cisco ACI Team/OU=TAC/CN=dlc-aci06-apic1.cisco.com
    [root@ns1 ~]# 
    [root@ns1 ~]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
    Using configuration from /etc/pki/tls/openssl.cnf
    Enter pass phrase for /etc/pki/CA/private/cakey.pem:     
    [root@ns1 ~]# openssl crl -in /etc/pki/CA/crl.pem -noout -text
    Certificate Revocation List (CRL):
            Version 2 (0x1)
            Signature Algorithm: sha256WithRSAEncryption
            Issuer: C = US, ST = California, L = San Francisco, O = "Cisco Systems, Inc.", OU = Technical Assistance Center, CN = ca.gc.cisco.com
            Last Update: Mar  7 08:36:58 2024 GMT
            Next Update: Apr  6 08:36:58 2024 GMT
            CRL extensions:
                X509v3 CRL Number: 
                    1
    Revoked Certificates:
        Serial Number: 01
            Revocation Date: Mar  7 08:35:10 2024 GMT
        Signature Algorithm: sha256WithRSAEncryption
        Signature Value:
            36:8c:3c:e1:78:c9:57:17:40:bf:e9:3a:9d:2a:5b:2b:e2:6a:
            9d:e9:0a:7e:3a:47:22:45:4d:01:70:44:ca:56:c5:f5:14:f6:
            c3:67:33:ab:ab:e9:80:e4:0d:59:cd:1c:bb:d6:ef:a5:10:79:
            04:2b:10:43:db:cf:c4:8e:b8:38:56:09:29:c4:3b:17:bc:99:
            4b:a6:ad:1a:4d:d3:7b:1f:7e:57:79:a0:fc:c5:bb:11:01:b2:
            89:70:37:21:31:57:1a:95:a8:6f:ec:83:d0:f9:4a:b6:4b:c6:
            68:81:7e:a1:7a:f5:0e:e7:69:04:04:3e:86:40:75:28:be:71:
            39:08:95:e0:5b:2a:80:20:3b:30:ba:cf:5e:0c:0d:9c:31:22:
            88:31:56:94:a7:44:c2:91:cc:ec:3e:24:3b:e1:0f:12:1d:f7:
            d5:b8:e3:83:ce:13:54:9c:f0:45:8f:c8:b7:9e:f8:e1:73:f4:
            b2:ff:87:cf:39:3e:b9:2f:48:09:a2:d6:c8:76:3d:2b:20:bc:
            15:1f:2c:52:07:41:5b:44:34:d2:b5:e0:aa:17:46:c3:a8:34:
            8f:be:78:05:c1:ef:ee:d3:b6:92:df:bb:dd:25:95:d1:c3:91:
            18:78:e0:55:ae:62:ab:c2:45:d7:29:a0:38:9b:90:0e:63:c5:
            19:24:f2:83
    [root@ns1 ~]#