In this exercise we will set up a private SSL certificate authority for managing digital certificates which will be import into client applications. We will use openssl for make this certificates. It is important to follow step by step to create properly CA. It is important to follow step by step to create properly CA. We need to install openssh first.

[root@security1 ~]# yum -y install openssl

You will need to setup some basic things in this point. It means directory where you will put your certs, keys, and all other things you need. Go to the directory where is *.config for openssl. Open for editing file /etc/pki/tls/openssl.cnf and change next lines:

dir = /etc/pki/CA Where everything is kept
certificate = $dir/certificate.crt The CA certificate
crl = $dir/certificate.crl The current CRL
private_key = $dir/private/certificate.key The private key
countryName_default = RS Default country
stateOrProvinceName_default = Beograd
localityName_default = Beograd
0.organizationName_default = SETENFORCE

OK, now you need to add folders which are defined in previous file. Pay attention that all subdirectorys in CA should be owned by root.

[root@security1 tls]# mkdir /etc/pki/CA/{certs,crl,newcerts}

Also you need to setup index.txt file and insert 01 (number for cert) in serial file.

[root@security1 tls]# touch /etc/pki/CA/index.txt
[root@security1 tls]# echo 01 > /etc/pki/CA/serial

OK, now we need to make private key. You will be prompted for passphrase, type some word, and remember. You will need this passphrase.

[root@security1 tls]# cd /etc/pki/CA/
[root@security1 CA]# umask 077
[root@security1 CA]# openssl genrsa -out private/certificate.key -des3 2048

Let's make certificate now.

[root@security1 CA]# openssl req -new -x509 -key private/certificate.key -days 365 > certificate.crt

When you are prompted for hostname of machine, you have to add hostname for machine you are make certs, in any different case it won't work. So, in mine case this should be security1.setenforce.com certificate.crt is certificate you need to distribute to your clients.