En criptografía una autoridad de certificación, certificadora o certificante es una entidad de confianza, responsable de emitir y revocar los certificados digitales o certificados, utilizados en la firma electrónica, para lo cual se emplea la criptografía de clave pública. Jurídicamente es un caso particular de Prestador de Servicios de Certificación.
Crear la autoridad certificadora
Generar la key:
# openssl genrsa -out /etc/ssl/private/rootCA.key 2048 -des3
Restringir los permisos de la Key:
# chmod 0400 /etc/ssl/private/rootCA.key
Crear el certificado:
# openssl req -new -x509 -keyout /etc/ssl/private/rootCA.key -out /etc/ssl/certs/cacert.pem -days 3650
Generating a 2048 bit RSA private key
…………………………………………………………………….+++
………………………………………………………+++
writing new private key to ‘/etc/ssl/private/cakey.pem’
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:Provincia
Locality Name (eg, city) []:Ciudad
Organization Name (eg, company) [Internet Widgits Pty Ltd]:OperativosLinux
Organizational Unit Name (eg, section) []:Linux
Common Name (e.g. server FQDN or YOUR name) []:blog.operativoslinux
Email Address []:
Crear el archivo index.txt:
# touch /etc/ssl/index.txt
Crear el archivo serial con el valor 01:
# echo ’01’ >> /etc/ssl/serial
Crear certificados para dispositivos
Crear la key para el certificado:
# openssl genrsa -out /etc/ssl/private/dispositivo.key 2048
Crear el certificado
# openssl req -new -key /etc/ssl/private/dispositivo.key -out /etc/ssl/certs/dispositivo.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:provincia
Locality Name (eg, city) []:ciudad
Organization Name (eg, company) [Internet Widgits Pty Ltd]:OperativosLinux
Organizational Unit Name (eg, section) []:Linux
Common Name (e.g. server FQDN or YOUR name) []:blog.operativoslinux
Email Address []:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Firmar el certificado con el CA propio.
# openssl x509 -req -in /etc/ssl/certs/dispositivo.csr -CA /etc/ssl/certs/cacert.pem -CAkey /etc/ssl/private/rootCA.key -CAcreateserial -out /etc/ssl/certs/device.crt -days 500
Signature ok
subject=/C=ES/ST=provincia/L=ciudad/O=OperativosLinux/OU=Linux
/CN=blog.operativoslinux
Getting CA Private Key
Enter pass phrase for /etc/ssl/private/rootCA.key:
Gracias…