Skirtumai

Čia matote skirtumus tarp pasirinktos versijos ir esamo dokumento.

--- rootca [2014/11/19 15:27]
dalius
+++ rootca [2015/02/17 21:25] (esamas)
dalius
@@ Linija 92: / Linija 92: @@
 After that, all you need to do is close your browser and hit the GUI site again. If you did it right, you’ll see no warning and a nice greenness in your address bar.\\
+**\\
+How to create an intermediate certificate authority (CA) **\\
+By Jamie Nguyen — Aug 25, 2013 \\
+This tutorial is part of a  series on being your own certificate authority, which was written for Fedora but should also work on CentOS/RHEL or any other Linux distribution. \\
+An intermediate certificate authority (CA) is an intermediary that can sign certificates on behalf of the root CA. A certificate can be signed by the intermediate CA, which itself is signed by the root CA, so a chain of trust is formed. \\
+Having an intermediate CA makes life more convenient in the event that your key is compromised. Using your root CA, you can revoke your compromised intermediate CA and create another. It also allows you to keep your root CA completely off-line (eg, on an encrypted USB) and you will only have to use your root key to revoke or renew your intermediate certificate. \\
+If you are  acting as your own CA, you can easily create an intermediate CA. You should have a root key and root certificate inside the /etc/pki/CA directory. Use a completely new directory to hold your intermediate CA and any certificates that you sign with it. In this case, the directory tree is created in /etc/pki/CA/intermediate: \\
+# cd /etc/pki/CA/intermediate\\
+# mkdir certs crl newcerts private\\
+# chmod 700 private\\
+# touch index.txt\\
+# echo 1000 > serial\\
+A different directory tree is being used, so you must let openssl know about this. First, copy your configuration file to the new directory: \\
+# cp /etc/pki/tls/openssl.cnf /etc/pki/CA/intermediate/openssl.cnf\\
+Then ensure dir=/etc/pki/CA/intermediate is specified within the [ CA_default ] section of your new configuration file. \\
+Important: Whenever you want to create and sign a certificate with your intermediate CA, you must pass the -config /etc/pki/CA/intermediate/openssl.cnf option so that openssl knows which directory holds your intermediate CA. \\
+Now you can create the intermediate key. Like the root key, this should be kept very secure. \\
+# cd /etc/pki/CA\\
+# openssl genrsa -aes256 -out intermediate/private/intermediate.key.pem 4096\\
+Enter pass phrase for intermediate.key.pem: secretpassword\\
+Verifying - Enter pass phrase for intermediate.key.pem: secretpassword\\
+# chmod 400 intermediate/private/intermediate.key.pem\\
+Using the intermediate key, create the intermediate  CSR. Make sure the Organizational Name matches the one set for your root CA. You can leave the extra attributes empty. \\
+Important: The default digest is SHA-1.  SHA-1 is considered insecure. Pass the -sha256 option to use a more secure digest. \\
+# cd /etc/pki/CA\\
+# openssl req -config intermediate/openssl.cnf \\\
+    -sha256 -new -key intermediate/private/intermediate.key.pem \
+    -out intermediate/certs/intermediate.csr.pem
+Enter pass phrase for intermediate.key.pem: secretpassword\\
+You are about to be asked to enter information that will be incorporated\\
+into your certificate request.\\
+-----
+Country Name (2 letter code) [XX]:GB\\
+State or Province Name (full name) []:London\\
+Locality Name (eg, city) [Default City]:London\\
+Organization Name (eg, company) [Default Company Ltd]:Alice CA\\
+Organizational Unit Name (eg, section) []:Intermediate Certificate Authority\\
+Common Name (eg, your name or your server's hostname) []:Alice CA\\
+Email Address []:alice@example.com\\
+Please enter the following 'extra' attributes\\
+to be sent with your certificate request\\
+A challenge password []:\\
+An optional company name []:\\
+You can now sign your intermediate CSR with your root CA to issue an intermediate certificate. Use the v3_ca extension as this is a CA certificate. \\
+NB: Note that you can avoid having to specify -keyfile and -cert options by changing the private_key and certificate options in the [ CA_default ] section of your openssl configuration. \\
+# cd /etc/pki/CA\\
+# openssl ca \\\
+    -keyfile private/ca.key.pem \
+    -cert certs/ca.cert.pem \
+    -extensions v3_ca -notext -md sha256 \
+    -in intermediate/certs/intermediate.csr.pem \
+    -out intermediate/certs/intermediate.cert.pem
+# chmod 444 intermediate/certs/intermediate.cert.pem\\
+To verify that your intermediate certificate is valid, run the following: \\
+# openssl verify -CAfile /etc/pki/CA/certs/ca.cert.pem \\\
+　　/etc/pki/CA/intermediate/certs/intermediate.cert.pem\\
+/etc/pki/CA/intermediate/certs/intermediate.cert.pem: OK\\
+When an Internet browser or any other application tries to verify a certificate signed by your intermediate CA, it will also need to verify the intermediate certificate against the root certificate. To do this, it will need a certificate chain file. This is created by simply concatenating your intermediate certificate and root certificate together: \\
+# cd /etc/pki/CA\\
+# cat intermediate/certs/intermediate.cert.pem \\\
+　　certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem\\
+# chmod 444 intermediate/certs/ca-chain.cert.pem\\
+At this point you are ready to issue and sign certificates using your intermediate CA. To verify that certificates signed by your intermediate CA are valid, you must test them against the certificate chain file: \\
+# openssl verify -CAfile /etc/pki/CA/intermediate/certs/ca-chain.cert.pem \\\
+　　/etc/pki/CA/intermediate/certs/www.example.com.cert.pem\\
+/etc/pki/CA/intermediate/certs/www.example.com.cert.pem: OK\\

wiki.laukas.lt

User Tools

Site Tools

Skirtumai

Page Tools