Setting up a Linux CA server is quick and easy and is a direct replacement for Microsoft CA. This article applies to both CentOS/Red Hat 6.x and 7.x versions. Let’s start with installing the required packages for the CA server setup.

First need to install openssl.

# yum -y install openssl

Once the install is done proceed with editing the ‘openssl.cnf’ file. The default openssl file lives in /etc/pki/tls/ but for this article we are gonna copy it to CA folder.

# cp -av /etc/pki/tls/openssl.cnf /etc/pki/CA/openssl.cnf

Then edit ‘openssl.cnf’ and change the following parameters. You can change the values depending on your requirements.

# vi /etc/pki/CA/openssl.cnf

dir = /etc/pki/CA
certificate = $dir/certs/ca.crt
private_key = $dir/private/ca.key
string_mask = pkix

Now create the required directories and files that are used to store the certs and list info of active and revoked certs.

# mkdir {certs,private,newcerts,csr}
# touch index.txt
# echo 01 > serial

Now generate a RootCA cert so that it can be used for signing CSR requests. Set the expiry date according to your requirements. I have set 2 years (730 days) for this article.

# cd /etc/pki/CA && openssl req -new -config openssl.cnf -x509 -extensions v3_ca -keyout private/ca.key -out certs/ca.crt -days 730

So, now if you check the folders for private key and CA cert you will have the following.

# ls /etc/pki/CA/certs/ && ls /etc/pki/CA/private/
ca.crt # RootCA Cert
ca.key # RootCA Private Key

The generated CA cert can be verified in plain text by running the below command.

# openssl x509 -in /etc/pki/CA/certs/ca.crt -text -noout

That’s it you should be up and running with a linux CA server. Follow this link for creating CSR and getting it signed by this CA.