Certificate Authority and Digital Certificates

Many of the services use digital certificates in conjuction with SSL/TLS for authentication and/or encryption. Therefore, I needed to generate digital certificates.

Initially, I generated digital certificates using the command line method provided by OpenSSL. However, I decided that it would be easier with a simple GUI based Certificate Authority application. Therefore, I started using XCA. While there is no CentOS specific XCA package, the Fedora Extras 6 package works on CentOS when rebuilt for CentOS. Remember to intstall the redhat-rpm-config package before attempting to rebuild any source RPMs.

I created a root certificate that I use to sign all the certificates used on my network. In addition, I created a certificate for each service provided by the server. The server is known by a different DNS name for each service. The name in the certificate is the server's DNS name used when accessing the service. For example, for LDAP the server is known by the DNS name ldap.bendercasa.net and the name in the certificate is ldap.bendercasa.net. Using the correct name is important, since many clients validate that the name in the certificate matches the DNS name of the server.

Rather than place the certificates in the configuration directories for the different services, I placed all the certificates in the directory /etc/certs. Having the certificates in one place allows me to manage them more easily. In order to set the permissions correctly, I wrote the script /etc/certs/update.