#From:
# http://dev.antoinesolutions.com/openssl
#How to configure OpenSSL on CentOS RedHat Linux
cp /etc/pki/tls/openssl.cnf openssl.cnf
#dir = /etc/pki/CA # Where everything is kept
dir = /etc/pki/CA # Where everything is kept
#certificate = $dir/cacert.pem # The CA certificate
certificate = $dir/certs/harker.ca.crt # The CA certificate
#private_key = $dir/private/cakey.pem # The private key
private_key = $dir/private/harker.ca.key # The private key
echo '01' > serial
echo '01' > crlnumber
touch index.txt
chmod 0400 openssl.cnf
#Create a Certificate Authority (CA)
# love S
openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout private/harker.ca.key -out certs/harker.ca.crt -days 3650
chmod 400 private/harker.ca.key
mkdir /var/www/html/repository
cp certs/harker.ca.crt /var/www/html/repository/
#Create a Certificate Request (CSR)
export domain=science.harker.com
openssl req -config openssl.cnf -new -nodes -keyout private/$domain.key -out $domain.csr -days 730
chown root:apache private/$domain.key
chmod 0440 private/$domain.key
#Sign a Certificate Request (CSR)
openssl ca -config openssl.cnf -policy policy_anything -out certs/$domain.crt -infiles $domain.csr
rm -f $domain.csr
# Verify Certificate
openssl x509 -subject -issuer -enddate -noout -in certs/$domain.crt
openssl verify -purpose sslserver -CAfile certs/harker.ca.crt certs/$domain.crt
openssl x509 -in certs/$domain.crt -noout -text
# Create a tarball of the certs
mkdir tarballs
tar cvf tarballs/$domain.ssl.tar certs/$domain.crt private/$domain.key certs/harker.ca.crt README.harker.ca
# Copy certs into /etc/pki/tls locations for Apache
cp certs/$domain.crt /etc/pki/tls/certs
cp private/$domain.key /etc/pki/tls/private/
service httpd restart
#Create a Certificate Revocation List
openssl ca -config openssl.cnf -gencrl -out crl/harker.ca.crl
# Revoke Certificate
openssl ca -config openssl.cnf -revoke certs/$domain.crt