Introduction
This document describes the configuring Custom CA on RHEL/Rocky Linux system.
Prerequisites
Requirements
recommends that you have knowledge of these topics:
- Digital signatures and digital certificates
- Certificate issuance process by Certificate Authority (CA) organization
Components Used
The information in this document is based on these software and hardware versions:
- Red Hat Enterprise Linux 9.3 (Plow)
- openssl.x86_64 1:3.0.7-24.el9
Configuration
Step 1. Create Folder
[root@ns1 pki]# mkdir -p /etc/pki/CA/private
Step 2. Create private key
[root@ns1 CA]# openssl genrsa -aes256 -out /etc/pki/CA/private/cakey.pem 2048
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
[root@ns1 CA]#
Step 3. Create root CA certificate
[root@ns1 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3660
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:California
Locality Name (eg, city) [Default City]:San Francisco
Organization Name (eg, company) [Default Company Ltd]:google Systems, Inc.
Organizational Unit Name (eg, section) []:Technical Assistance Center
Common Name (eg, your name or your server's hostname) []:ca.gc.google.com
Email Address []:
[root@ns1 CA]#
[root@ns1 CA]# ls
cacert.pem private
[root@ns1 CA]#
Step 4. Create index and serial
[root@ns1 CA]# touch /etc/pki/CA/index.txt
[root@ns1 CA]# echo 01 > /etc/pki/CA/serial
[root@ns1 CA]# mkdir /etc/pki/CA/newcerts
[root@ns1 CA]# echo 01 > /etc/pki/CA/crlnumber
Step 5. Modify openssl config
[root@ns1 CA]# vim /etc/pki/tls/openssl.cnf
#policy = policy_match
policy = policy_anything
Step 6. add ext file
[root@localhost ~]# cat https.ext
subjectAltName=@SubjectAlternativeName
[ SubjectAlternativeName ]
DNS.1 = dlc-aci06-apic1.google.com
DNS.2 = dlc-aci06-apic2.google.com
DNS.3 = dlc-aci06-apic3.google.com
[root@localhost ~]#
step 7. Certificate issuance process
[root@localhost ~]#
[root@ns1 ~]# openssl ca -in test.csr -out test.crt -ext https.ext
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 7 08:30:04 2024 GMT
Not After : Mar 7 08:30:04 2025 GMT
Subject:
countryName = US
stateOrProvinceName = CA
organizationName = google Team
organizationalUnitName = TAC
commonName = dlc-aci06-apic1.google.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
79:5B:DD:03:BA:B1:D3:DC:DE:A5:CC:2C:1E:97:9C:D4:B4:03:7F:80
X509v3 Authority Key Identifier:
51:C7:28:92:57:8E:81:4A:81:04:6E:84:33:2A:81:95:06:B0:0A:83
Certificate is to be certified until Mar 7 08:30:04 2025 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@ns1 ~]#
setp8:
[root@ns1 ~]# openssl ca -revoke test.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Revoking Certificate 01.
Data Base Updated
[root@ns1 ~]#
setp 9:
[root@ns1 ~]# cat /etc/pki/CA/index.txt
R 250307083004Z 240307083510Z 01 unknown /C=US/ST=CA/O=Cisco ACI Team/OU=TAC/CN=dlc-aci06-apic1.cisco.com
[root@ns1 ~]#
[root@ns1 ~]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
[root@ns1 ~]# openssl crl -in /etc/pki/CA/crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = California, L = San Francisco, O = "Cisco Systems, Inc.", OU = Technical Assistance Center, CN = ca.gc.cisco.com
Last Update: Mar 7 08:36:58 2024 GMT
Next Update: Apr 6 08:36:58 2024 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 01
Revocation Date: Mar 7 08:35:10 2024 GMT
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
36:8c:3c:e1:78:c9:57:17:40:bf:e9:3a:9d:2a:5b:2b:e2:6a:
9d:e9:0a:7e:3a:47:22:45:4d:01:70:44:ca:56:c5:f5:14:f6:
c3:67:33:ab:ab:e9:80:e4:0d:59:cd:1c:bb:d6:ef:a5:10:79:
04:2b:10:43:db:cf:c4:8e:b8:38:56:09:29:c4:3b:17:bc:99:
4b:a6:ad:1a:4d:d3:7b:1f:7e:57:79:a0:fc:c5:bb:11:01:b2:
89:70:37:21:31:57:1a:95:a8:6f:ec:83:d0:f9:4a:b6:4b:c6:
68:81:7e:a1:7a:f5:0e:e7:69:04:04:3e:86:40:75:28:be:71:
39:08:95:e0:5b:2a:80:20:3b:30:ba:cf:5e:0c:0d:9c:31:22:
88:31:56:94:a7:44:c2:91:cc:ec:3e:24:3b:e1:0f:12:1d:f7:
d5:b8:e3:83:ce:13:54:9c:f0:45:8f:c8:b7:9e:f8:e1:73:f4:
b2:ff:87:cf:39:3e:b9:2f:48:09:a2:d6:c8:76:3d:2b:20:bc:
15:1f:2c:52:07:41:5b:44:34:d2:b5:e0:aa:17:46:c3:a8:34:
8f:be:78:05:c1:ef:ee:d3:b6:92:df:bb:dd:25:95:d1:c3:91:
18:78:e0:55:ae:62:ab:c2:45:d7:29:a0:38:9b:90:0e:63:c5:
19:24:f2:83
[root@ns1 ~]#
