{"id":29,"date":"2018-09-20T10:15:00","date_gmt":"2018-09-20T02:15:00","guid":{"rendered":"http:\/\/wordpress-stage\/?p=29"},"modified":"2019-04-25T01:35:15","modified_gmt":"2019-04-24T17:35:15","slug":"build-and-trust-your-own-ca-on-centos7","status":"publish","type":"post","link":"https:\/\/blog.buck5060.tw\/?p=29","title":{"rendered":"Build and Trust Your Own CA on CentOS7"},"content":{"rendered":"<h2>Why I write this note<\/h2>\n<ul>\n<li>Try to install <a href=\"https:\/\/github.com\/ChameleonCloud\/chi-in-a-box\">Chameleoncloud-in-a-box<\/a>, which provides the bare metal provisioning using OpenStack ironic.<\/li>\n<li>There is a PKI in Chameleon\u2019s develop environmnet. The problem happened to us when we tried to build this project in iCAIR site, which doesn\u2019t have PKI in private network.<\/li>\n<li>Because openstack cli use https apis, bad cert means no success https connection and no control to the components.<\/li>\n<li>This is the note for build your own PKI with openssl and trust RootCA on own computer<\/li>\n<li>reference are down below (Most of command are copy and mod from other websites,actually. = =)<\/li>\n<\/ul>\n<h2>Build PKI<\/h2>\n<ul>\n<li>Build CA private key with passprase<\/li>\n<\/ul>\n<p><code>openssl genrsa -des3 -out myCA.key 2048<\/code><\/p>\n<ul>\n<li>Build CA Cert<\/li>\n<\/ul>\n<p><code>openssl req -x509 -new -nodes -key myCA.key -sha256 -days 3650 -out myCA.pem<\/code><\/p>\n<ul>\n<li>Build Server private key<\/li>\n<\/ul>\n<p><code>openssl genrsa -out ciab.buck.local.key 2048<\/code><\/p>\n<ul>\n<li>Build Server cert<\/li>\n<\/ul>\n<pre><code class=\"\">openssl req -new -key ciab.buck.local.key -out ciab.buck.local.csr\nopenssl x509 -req -in ciab.buck.local.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out ciab.buck.local.crt -days 3650 -sha256\n<\/code><\/pre>\n<h2>Trust Your RootCA (CentOS7)<\/h2>\n<pre><code class=\"\"># cp myCA.pem \/etc\/pki\/ca-trust\/source\/anchors\/\n# update-ca-trust\n<\/code><\/pre>\n<h2>Setup a Apache Server for test<\/h2>\n<h3>Server set up<\/h3>\n<ul>\n<li>Thanks to DO lol.<\/li>\n<li><a href=\"https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-create-an-ssl-certificate-on-apache-for-centos-7\">How To Create an SSL Certificate on Apache for CentOS 7<\/a><\/li>\n<\/ul>\n<h3>Test with Curl (check if hostname resolve is correct)<\/h3>\n<pre><code class=\"\">curl -vvv https:\/\/ciab.buck.local\n* About to connect() to ciab.buck.local port 443 (#0)\n*   Trying fe80::c45b:765c:c136:5e3b...\n* Connected to ciab.buck.local (fe80::c45b:765c:c136:5e3b) port 443 (#0)\n* Initializing NSS with certpath: sql:\/etc\/pki\/nssdb\n*   CAfile: \/etc\/pki\/tls\/certs\/ca-bundle.crt\n  CApath: none\n* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n* Server certificate:\n*       subject: CN=ciab.buck.local,O=iCAIR,L=Chicago,ST=illnois,C=US\n*       start date: Sep 20 15:42:52 2018 GMT\n*       expire date: Sep 17 15:42:52 2028 GMT\n*       common name: ciab.buck.local\n*       issuer: CN=buck.local,O=Default Company Ltd,L=Chicaog,ST=il,C=US\n......\n<\/code><\/pre>\n<p>:tada:<\/p>\n<h2>Reference<\/h2>\n<ul>\n<li><a href=\"https:\/\/deliciousbrains.com\/ssl-certificate-authority-for-local-https-development\/\">How to Create Your Own SSL Certificate Authority for Local HTTPS Development<\/a><\/li>\n<li><a href=\"https:\/\/www.happyassassin.net\/2015\/01\/14\/trusting-additional-cas-in-fedora-rhel-centos-dont-append-to-etcpkitlscertsca-bundle-crt-or-etcpkitlscert-pem\/\">Trusting additional CAs in Fedora \/ RHEL \/ CentOS<\/a><\/li>\n<\/ul>\n<p>Also, One of my seniors wrote <a href=\"https:\/\/blog.pichuang.com.tw\/generate-ssl-tls-certs-and-keys\/\">this<\/a> the day after I solve this problem\u2026 This is a better method to management PKI.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Why I write this note Try to install Chameleoncloud-in- &hellip; <a href=\"https:\/\/blog.buck5060.tw\/?p=29\" class=\"more-link\">\u95b1\u8b80\u5168\u6587 <span class=\"screen-reader-text\">Build and Trust Your Own CA on CentOS7<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-29","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blog.buck5060.tw\/index.php?rest_route=\/wp\/v2\/posts\/29","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.buck5060.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.buck5060.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.buck5060.tw\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.buck5060.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=29"}],"version-history":[{"count":5,"href":"https:\/\/blog.buck5060.tw\/index.php?rest_route=\/wp\/v2\/posts\/29\/revisions"}],"predecessor-version":[{"id":34,"href":"https:\/\/blog.buck5060.tw\/index.php?rest_route=\/wp\/v2\/posts\/29\/revisions\/34"}],"wp:attachment":[{"href":"https:\/\/blog.buck5060.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=29"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.buck5060.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=29"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.buck5060.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=29"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}