SuSE 11 Setup Certificate Authority?

Am following the often referenced
Scott Morris SuSEblog

Don’t know if differences between 10.3 (the SuSEblog) and 11 are significant.

Am also trying to reconcile the generic instructions at OpenSSL
OpenSSL Certificate Authority Setup

After following the SuSEblog steps, the certificates generated (including the CA server certs themselves)continue to generate a “Level 0” error which seems to indicate that the highest level certificates still aren’t trusted.

The OpenSSL generic instructions seem to address this by running “make init” which doesn’t seem to apply when OpenSSL is installed from the OpenSuSE repositories (because those files don’t seem to exist). Also, there is some comment that once OpenSSL is installed onto a system a Server certificate for that machine is automatically generated.

I don’t know if that would be the case, and wouldn’t really know where to look for this. I found the /etc/ssl/ directory which appears to likely be related to certificates with a certificate repository in the ./certs/ subdirectory, and I also found a ./private/ subdirectory (which is empty).

Some concrete questions :confused: :

  1. After creating a CA cert and Server Key, should placing it in the /etc/ssl/private/ directory be sufficient to create a CA, or are there other steps? I’ve tried moving the files to this location without effect. :stuck_out_tongue:

  2. Can someone more generally describe the virtual or physical architecture of a CA on SuSE? I’m a bit confused because aside from there not being any kind of CA application, I’m wondering if there is supposed to be pre-assigned paths, directories and possibly a config file somewhere that governs how the OS responds and where it either looks up CA data physically or virtually.



to your questions:

  1. what do you expect? It is your decision where to store you certifications and you have to configure the apps accordingly where you stored you certificates. Anyway it might be a good decisions not to store the private key for the root CA on the same system :wink: Maybe you get more infos when following the discussions here Where to put SSL Certificates/Key in Suse 11 - openSUSE Forums and Creating a CA in openSUSE - openSUSE Forums

  2. There is a CA module for YaST and you can also use tinyca2 as a CA application. You already found the proposed paths but none of the applications will use them automatic. You have to configure every application separate so that they will use your certs.

Hope this helps