SSL Certs

Any CA should exist in /opt/CA on the head server for which it authenticates.

To create a CA, run the following as root

mkdir -p /opt/CA/{certs,crl,newcerts,private,reqs} echo "01" > /opt/CA/serial touch index.txt sed s/'\.\/demoCA'/'\/opt\/CA'/ /etc/ssl/openssl.cnf > /etc/ssl/openssl.cnf openssl req -new -x509 -keyout /opt/CA/private/cakey.pem -out cacert.pem
 * 1) Create directory structure
 * 1) Initialize CA Infrastructure
 * 1) Fix the configuration file by resetting CA dir
 * 2) TODO: Make this work generally, i.e. reset options, rather than sed magic that may change in future revisions
 * 1) Make the signing certificate

Heavily recommend verifying permissions. Regular user shouldn't even be able to navigate through this directory.

To issue a certificate once a CA exists, run the following as someone with permissions for CA, replacing ldap with the name of the service you're certifying.

SERVICE="ldap" openssl req -nodes -new -x509 -keyout /opt/CA/reqs/$(SERVICE)_req.pem -out /opt/CA/reqs/$(SERVICE)_req.pem openssl x509 -x509toreq -in /opt/CA/reqs/$(SERVICE)_req.pem -signkey /opt/CA/reqs/$(SERVICE)_req.pem -out /opt/CA/tmp.pem openssl ca -policy policy_anything -out /opt/CA/certs/$(SERVICE)_cert.pem -infiles /opt/CA/tmp.pem rm -rf /tmp/tmp.pem
 * 1) Generate signature request
 * 1) Sign it
 * 1) Clean up