Crear tu propio CA y certificados en linux con OpenSSL

En criptografía una autoridad de certificación, certificadora o certificante es una entidad de confianza, responsable de emitir y revocar los certificados digitales o certificados, utilizados en la firma electrónica, para lo cual se emplea la criptografía de clave pública. Jurídicamente es un caso particular de Prestador de Servicios de Certificación.

 

 Crear la autoridad certificadora

Generar la key:
# openssl genrsa -out /etc/ssl/private/rootCA.key 2048 -des3

Restringir los permisos de la Key:
  # chmod 0400 /etc/ssl/private/rootCA.key

Crear el certificado:
  # openssl req -new -x509 -keyout /etc/ssl/private/rootCA.key -out /etc/ssl/certs/cacert.pem -days 3650
Generating a 2048 bit RSA private key
…………………………………………………………………….+++
………………………………………………………+++
writing new private key to ‘/etc/ssl/private/cakey.pem’
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:Provincia
Locality Name (eg, city) []:Ciudad
Organization Name (eg, company) [Internet Widgits Pty Ltd]:OperativosLinux
Organizational Unit Name (eg, section) []:Linux
Common Name (e.g. server FQDN or YOUR name) []:blog.operativoslinux
Email Address []:

Crear el archivo index.txt: 
  # touch /etc/ssl/index.txt

Crear el archivo serial con el valor 01: 
  # echo ’01’ >> /etc/ssl/serial

Crear certificados para dispositivos

Crear la key para el certificado:
# openssl genrsa -out /etc/ssl/private/dispositivo.key 2048

Crear el certificado
  # openssl req -new -key  /etc/ssl/private/dispositivo.key -out /etc/ssl/certs/dispositivo.csr
  You are about to be asked to enter information that will be incorporated
     into your certificate request.
     What you are about to enter is what is called a Distinguished Name or a DN.
     There are quite a few fields but you can leave some blank
     For some fields there will be a default value,
     If you enter ‘.’, the field will be left blank.
     —–
     Country Name (2 letter code) [AU]:ES
     State or Province Name (full name) [Some-State]:provincia
     Locality Name (eg, city) []:ciudad
     Organization Name (eg, company) [Internet Widgits Pty Ltd]:OperativosLinux
     Organizational Unit Name (eg, section) []:Linux
     Common Name (e.g. server FQDN or YOUR name) []:blog.operativoslinux
     Email Address []:

Please enter the following ‘extra’ attributes

     to be sent with your certificate request
     A challenge password []:
     An optional company name []:

Firmar el certificado con el CA propio.
  # openssl x509 -req -in /etc/ssl/certs/dispositivo.csr -CA /etc/ssl/certs/cacert.pem -CAkey /etc/ssl/private/rootCA.key -CAcreateserial -out /etc/ssl/certs/device.crt -days 500
     Signature ok
     subject=/C=ES/ST=provincia/L=ciudad/O=OperativosLinux/OU=Linux

     /CN=blog.operativoslinux
     Getting CA Private Key
     Enter pass phrase for /etc/ssl/private/rootCA.key:

One comment

Leave a Reply

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *