Comments on: Create an SSL Certificate Authority on Linux and Use It in Windows AD

By: Paul

Paul — Sun, 15 Nov 2009 09:29:52 +0000

hey great article, how do i reverse this and a) take a windows created root authority cert and install it on linux for openssl to use during secure sockets operations (not apache).

By: Tomas

Tomas — Tue, 10 Nov 2009 19:33:10 +0000

Hi,
is possible somehow use user-certificates in AD from linux CA?
I have linux CA, imported into AD, I have created user-certificates and want to add them to each user in AD .. is is possible or not?

By: Jason

Jason — Wed, 21 Oct 2009 03:52:51 +0000

Hi Robert,
The honest answer is that I don’t know. You are going a lot further with your deployment than I had to with mine. I’ve never tried to use the Windows Certificate Services, so while I can’t see why you couldn’t, I really don’t know for sure. I’d have to play with that for a while to find out. Or you can and let us know how it goes.

Jason

By: Robert

Robert — Tue, 20 Oct 2009 20:23:52 +0000

jason,

I would like to implement a PKI hierarchy that consists of 2 levels or more, a offline root CA and additional subordinate CA’s that require access to the root CA. As the distance from the root CA increases more levels may be needed. If my (offline) Root is a Linux CA server that works in Windows AD, and I copy the ca.crt to your Windows AD domain controller, rename the text file and change the extension to .cer so that it can be used as an SSL certificate, import the CA Certificate to Windows Active Directory, use Group Policy to make this certificate authority a trusted CA through out the domain, can online issuing subordinate CA’s be any additional domain controllers within the domain?

By: Jason

Jason — Sat, 21 Mar 2009 16:22:06 +0000

Khalid,
I’m not sure. PHP isn’t really my thing. A guess would be that the command is waiting for user input, but since you have things setup in your openssl.conf file I’m not sure if that would be the case. I’d ask one of the PHP forums to see what they think.

Good luck.

By: khalid

khalid — Sat, 21 Mar 2009 12:09:29 +0000

hi. i am trying to use sudo to execute openssl commands in php program. the commands doesn’t respond. while the same commands work well in the terminal. the command is as follow.
exec(“openssl req -config /etc/pki_jungle/myCA/openssl.my.cnf -new -keyout /etc/pki_jungle/myCA/private/server.key -nodes -out /etc/pki_jungle/myCA/server.csr -days 365″);
the configuration file openssl.my.cnf is modified so that the creation of the signing request is batched and no further input is needed. what is the problem?

By: syed

syed — Tue, 17 Feb 2009 17:12:29 +0000

works perfectly on red hat 5

so far so good

By: Jason

Jason — Thu, 12 Feb 2009 08:15:41 +0000

Hello Swordfish. Sure, you could do that. I’m not sure what advantage you would gain for having 10 different CAs for 10 different web servers, but you could just change the openssl command to use different file names for the key and other output files. For example:

sudo openssl genrsa -des3 -out ca.key 4096

becomes

sudo openssl genrsa -des3 -out ca2.key 4096
sudo openssl genrsa -des3 -out ca3.key 4096
etc…

And:

sudo openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Becomes:

sudo openssl req -new -x509 -days 365 -key ca2.key -out ca2.crt
sudo openssl req -new -x509 -days 365 -key ca3.key -out ca3.crt

I’d use different common names in each CA certificate so you could tell them apart that way too.

By: swordfish

swordfish — Wed, 11 Feb 2009 21:38:35 +0000

hi i am swordfish, can i create more CA in the linux box which can be use on different web servers. example i have 10 webservers and i want to generate 10 CA so that each server have there own CA…

thank you ,, very much and i could appreciate if you response asap ,,,