Go to main content

Creating Package Repositories in Oracle® Solaris 11.4

Exit Print View

Updated: November 2018
 
 

Creating a Self-Signed Server Certificate Authority

For testing purposes, you can use a self-signed server certificate authority (CA) rather than a third-party CA. The steps to create a self-signed server CA for Apache are very similar to the steps to create a CA for client certificates described in Creating a Certificate Authority for Client Certificates.

Use the following command to create a server CA. Set the subject to the DNS name of the server.

$ pktool gencert label=apacheCA subject="CN=apachetest" \
serial=0x01

Use the following command to create a CSR for a server CA. If the server is accessible under several names or you want to make it available under its IP address directly, use the subjectAltName directive as described in Subject Alternative Name in the OpenSSL documentation.

$ pktool gencsr label=apache subject="CN=pkg-sec.internal.example.com" \
altname="IP=192.0.2.0,DNS=pkg-sec.internal.example.com" \
format=pem outcsr=apache.csr

Use the following command to sign the CSR. Use server.crt for SSLCertificateFile.

$ pktool signcsr signkey=apacheCA csr=apache.csr serial=0x02 \
outcert=server.crt issuer="CN=apachetest"

Use the following command to extract the key. Use server.key for SSLCertificateKeyFile.

$ pktool export objtype=key label=apache outformat=pem \
outfile=server.key

To ensure that your client will accept this server key, add the CA certificate (apacheCA) to the accepted CA directory on the client and restart the ca-certificates service to create the required links for OpenSSL.

Use the following command to extract the CA certificate:

$ pktool export label=apacheCA objtype=cert outformat=pem \
outfile=test_server_ca.pem

Copy the CA certificate to the CA certificate directory on the client:

$ cp /path-to/test_server_ca.pem /etc/certs/CA/

Refresh the CA certificates service:

$ svcadm refresh ca-certificates

Before you proceed, ensure that your new CA cert has been linked. After refreshing, the ca-certificate service rebuilds the links in the /etc/openssl/certs directory. Run the following command to check whether your new CA cert has been linked:

$ ls -l /etc/openssl/certs | grep test_server_ca.pem
lrwxrwxrwx   1 root     root          40 May  1 09:51 e89d96e0.0 -> ../../certs/CA/test_server_ca.pem

The hash value, e89d96e0.0, might be different for you since it is based on the subject of your certificate.