Setting up a Linux CA server is quick and easy and is a direct replacement for Microsoft CA. This article applies to both CentOS/Red Hat 6.x and 7.x versions. Let’s start with installing the required packages for the CA server setup.
First need to install openssl.
# yum -y install openssl
Once the install is done proceed with editing the ‘openssl.cnf’ file. The default openssl file lives in /etc/pki/tls/ but for this article we are gonna copy it to CA folder.
# cp -av /etc/pki/tls/openssl.cnf /etc/pki/CA/openssl.cnf
Then edit ‘openssl.cnf’ and change the following parameters. You can change the values depending on your requirements.
# vi /etc/pki/CA/openssl.cnf
dir = /etc/pki/CA
certificate = $dir/certs/ca.crt
private_key = $dir/private/ca.key
string_mask = pkix
Now create the required directories and files that are used to store the certs and list info of active and revoked certs.
# mkdir {certs,private,newcerts,csr}
# touch index.txt
# echo 01 > serial
Now generate a RootCA cert so that it can be used for signing CSR requests. Set the expiry date according to your requirements. I have set 2 years (730 days) for this article.
# cd /etc/pki/CA && openssl req -new -config openssl.cnf -x509 -extensions v3_ca -keyout private/ca.key -out certs/ca.crt -days 730
So, now if you check the folders for private key and CA cert you will have the following.
# ls /etc/pki/CA/certs/ && ls /etc/pki/CA/private/
ca.crt # RootCA Cert
ca.key # RootCA Private Key
The generated CA cert can be verified in plain text by running the below command.
# openssl x509 -in /etc/pki/CA/certs/ca.crt -text -noout
That’s it you should be up and running with a linux CA server. Follow this link for creating CSR and getting it signed by this CA.