-->

Root CA and Wildcard Certificate Generation in CentOS/RHEL 6&7

     Hi folks ! this is one of the best method to create your own RootCA server and generating self-signed wildcard certificates.The greatest advantage of following this method: this would not make any system level changes, as everything is stored in files mentioned in the commands. At any stage if something went wrong, clear all the files and perform the steps once again.

There are two sections

1. RootCA Server   --  Need to perform only once.

2. Generating wildcard certificates for xyz.com domain -- Need to perform once per domain to create wildcard certificates. Need to perform once per site per domain to create individual certificates per site.


RootCA Server
============
1. Install required packages.

# yum install openssl -y

2. Generate XYZRootCA certificates

# mkdir /opt/XYZRootCA
# cd /opt/XYZRootCA
# openssl genrsa -out XYZRootCA.key 2048
# openssl req -x509 -new -nodes -key XYZRootCA.key -sha256 -days 10950 -out XYZRootCA.pem

#Provide information as given below

Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Karnataka
Locality Name (eg, city) [Default City]:Bengaluru
Organization Name (eg, company) [Default Company Ltd]:XYZ Solutions Pvt. Ltd
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:XYZRootCA
Email Address []:info@xyz.com

3. Convert .pem to .crt

# openssl x509 -outform der -in XYZRootCA.pem -out XYZRootCA.crt



Generating wildcard certificates for xyz.com domain
===========================================
1. Generate CSR for *.xyz.com

# openssl genrsa -out XYZWildcard.key 2048
# openssl req -new -key XYZWildcard.key -out XYZWildcard.csr

#Provide information as given below
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Karnataka
Locality Name (eg, city) [Default City]:Bengaluru
Organization Name (eg, company) [Default Company Ltd]:XYZ Solutions Pvt. Ltd
Organizational Unit Name (eg, section) []:Infra Support
Common Name (eg, your name or your server's hostname) []:*.xyz.com
Email Address []:infrasupport@xyz.com

2. Using CSR generated above (As Shown in Step no:1), generate a wildcard certificate for *.xyz.com also get it signed by XYZRootCA as well.

# openssl x509 -req -in XYZWildcard.csr -CA XYZRootCA.pem -CAkey XYZRootCA.key -CAcreateserial -out XYZWildcard.crt -days 3650 -sha256

3. Import XYZRootCA.crt to trusted root certificates

# yum install ca-certificates
# update-ca-trust force-enable
# cp XYZRootCA.crt /etc/pki/ca-trust/source/anchors/
# update-ca-trust extract



References:
###########
  1. https://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
  2. http://linoxide.com/security/make-ca-certificate-authority/
  3. https://blog.celogeek.com/201209/209/how-to-create-a-self-signed-wildcard-certificate/
  4. http://stackoverflow.com/questions/13732826/convert-pem-to-crt-and-key
  5. https://serversforhackers.com/self-signed-ssl-certificates
  6. http://kb.kerio.com/product/kerio-connect/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html



Share on Google Plus

About Venkata Rao Amudalapalli

This is a short description in the author block about the author. You edit it by entering text in the "Biographical Info" field in the user admin panel.