====== Autoridade Certificadora ======
Personalizando e deixando como padrão as respostas das perguntas
<code bash>
root@ca:~# cd /etc/pki/tls/
</code>

Fazendo backup do arquivo antes da modificação:
<code bash>
root@ca:/etc/pki/tls# cp -p openssl.cnf{,.dist}
</code>

<code bash>
root@ca:/etc/pki/tls# vim openssl.cnf
[ req_distinguished_name ]
[...]
countryName_default             = BR
[...}
stateOrProvinceName_default     = Para
[...]
localityName_default            = Maraba
[...]
0.organizationName_default      = Exemplo SA
[...]
organizationalUnitName_default  = Departamento de Informatica
[...]
</code>

Alterando também a data de validade do certificado:
<code bash>
root@ca:/etc/pki/tls# vim misc/CA
[...]
#CADAYS="-days 1095"    # 3 years
CADAYS="-days 3650"     # 10 years
[...]
</code>

Criando a Autoridade certificadora (CA):
<code bash>
root@ca:/etc/pki/tls# ./misc/CA -newca
CA certificate filename (or enter to create) <ENTER>

Making CA certificate ...
Generating a 2048 bit RSA private key
.............................+++
.................................+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase: <ENTRAR COM UMA SENHA>
Verifying - Enter PEM pass phrase: <CONFIRMAR A SENHA>
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [BR]: <ENTER>
State or Province Name (full name) [Para]: <ENTER>
Locality Name (eg, city) [Maraba]: <ENTER>
Organization Name (eg, company) [Exemplo SA]: <ENTER>
Organizational Unit Name (eg, section) [Departamento de Informatica]: <ENTER>
Common Name (eg, your name or your server's hostname) []:ca.exemplo.org <AQUI FOI POSTO O HOSTNAME>
Email Address []:admin@exemplo.org <EMAIL ADMINISTRATIVO>

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <ENTER>
An optional company name []: <ENTER>
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem: <SENHA QUE FOI DEFINIDA>
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 11913230780213294170 (0xa5544c468ddcf45a)
        Validity
            Not Before: Jun  9 14:04:48 2016 GMT
            Not After : Jun  7 14:04:48 2026 GMT
        Subject:
            countryName               = BR
            stateOrProvinceName       = Para
            organizationName          = Exemplo SA
            organizationalUnitName    = Departamento de Informatica
            commonName                = ca.exemplo.org
            emailAddress              = admin@exemplo.org
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                A0:72:7A:53:A2:B2:4B:56:93:B0:C0:22:69:82:B5:6F:EE:F8:E6:16
            X509v3 Authority Key Identifier: 
                keyid:A0:72:7A:53:A2:B2:4B:56:93:B0:C0:22:69:82:B5:6F:EE:F8:E6:16

            X509v3 Basic Constraints: 
                CA:TRUE
Certificate is to be certified until Jun  7 14:04:48 2026 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
</code>

Arquivos gerados:
<code bash>
root@ca:/etc/pki/tls# ls -la ../CA/*
-rw-r--r--. 1 root root 4610 Jun  9 11:04 ../CA/cacert.pem
-rw-r--r--. 1 root root 1086 Jun  9 11:04 ../CA/careq.pem
-rw-r--r--. 1 root root  309 Jun  9 11:37 ../CA/index.txt
-rw-r--r--. 1 root root   21 Jun  9 11:37 ../CA/index.txt.attr
-rw-r--r--. 1 root root   21 Jun  9 11:04 ../CA/index.txt.attr.old
-rw-r--r--. 1 root root  149 Jun  9 11:04 ../CA/index.txt.old
-rw-r--r--. 1 root root   17 Jun  9 11:37 ../CA/serial
-rw-r--r--. 1 root root   17 Jun  9 11:04 ../CA/serial.old

../CA/certs:
total 4
drwxr-xr-x. 2 root root    6 Dez 14 02:18 .
drwxr-xr-x. 6 root root 4096 Jun  9 11:37 ..

../CA/crl:
total 4
drwxr-xr-x. 2 root root    6 Dez 14 02:18 .
drwxr-xr-x. 6 root root 4096 Jun  9 11:37 ..

../CA/newcerts:
total 20
drwxr-xr-x. 2 root root   60 Jun  9 11:37 .
drwxr-xr-x. 6 root root 4096 Jun  9 11:37 ..
-rw-r--r--. 1 root root 4610 Jun  9 11:04 A5544C468DDCF45A.pem

../CA/private:
total 8
drwx------. 2 root root   22 Jun  9 11:03 .
drwxr-xr-x. 6 root root 4096 Jun  9 11:37 ..
-rw-r--r--. 1 root root 1834 Jun  9 11:04 cakey.pem
</code>

Informações dos certificados gerados:
<code bash>
root@ca:/etc/pki/tls# openssl x509 -in ../CA/cacert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 11913230780213294170 (0xa5544c468ddcf45a)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=BR, ST=Para, O=Exemplo SA, OU=Departamento de Informatica, CN=ca.exemplo.org/emailAddress=admin@exemplo.org
        Validity
            Not Before: Jun  9 14:04:48 2016 GMT
            Not After : Jun  7 14:04:48 2026 GMT
        Subject: C=BR, ST=Para, O=Exemplo SA, OU=Departamento de Informatica, CN=ca.exemplo.org/emailAddress=admin@exemplo.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a1:7a:ec:46:c4:f4:bc:b6:e7:c4:c8:60:70:82:
                    b4:51:e9:38:a1:ea:9a:6a:9c:c9:a1:c9:5d:a0:49:
                    c2:a4:0b:7c:81:69:b6:06:a5:7a:bb:d6:31:0a:1f:
                    e9:90:42:d7:ea:5c:0f:2d:ba:40:6e:6b:2b:ff:44:
                    09:40:a0:f6:25:77:b9:2c:4d:7d:54:54:1b:23:09:
                    2b:36:c2:0e:80:31:51:9d:f0:50:62:3c:e7:7c:08:
                    22:ed:63:cf:b3:f7:d6:e0:f6:2e:be:dd:41:ec:23:
                    da:9b:4d:a3:20:d2:45:8a:c4:7d:12:33:4b:9d:b2:
                    48:2a:be:bc:17:f2:b9:4d:97:bf:16:f4:99:33:06:
                    f6:19:39:e4:2b:31:9a:b6:53:45:6c:b2:d6:9f:dc:
                    c3:3d:d5:94:6e:78:47:e1:b5:fe:dd:28:4f:7a:76:
                    47:78:79:89:fb:58:6e:99:77:7f:04:c1:c5:9b:24:
                    e5:9e:60:db:a7:97:fc:91:11:47:db:c3:19:3e:e9:
                    d4:80:bf:ab:1e:49:e4:ed:93:ae:9c:c2:ff:c7:75:
                    17:d9:b2:20:bb:e3:35:ec:29:28:26:0f:f9:4c:97:
                    cd:02:60:45:75:f9:48:b5:87:e4:0e:5b:bf:50:fb:
                    03:e5:40:44:85:e6:e6:5c:d9:3c:a1:47:56:83:94:
                    5f:b3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                A0:72:7A:53:A2:B2:4B:56:93:B0:C0:22:69:82:B5:6F:EE:F8:E6:16
            X509v3 Authority Key Identifier: 
                keyid:A0:72:7A:53:A2:B2:4B:56:93:B0:C0:22:69:82:B5:6F:EE:F8:E6:16

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         43:d9:12:aa:49:94:83:f1:09:4b:e8:bd:22:b1:f6:ca:d7:24:
         41:d7:91:59:e8:01:7d:27:b7:cc:4d:22:50:66:98:c9:b7:de:
         5c:42:ab:d8:e4:3d:ec:47:ef:2f:72:f4:f3:b5:86:38:d6:07:
         55:c8:38:69:5b:df:c1:c7:65:dc:62:63:cf:2c:33:b2:ee:d7:
         95:55:c9:c5:75:97:65:1b:c0:5a:b7:14:58:9a:ed:6b:5e:7d:
         84:07:7c:c2:c2:54:f0:a8:90:b9:cc:b8:9d:ff:d8:1b:a0:de:
         01:bb:c0:1f:cc:d3:cf:c0:46:c4:56:0b:44:e6:80:80:43:ad:
         6b:ce:1a:41:e4:a6:c1:20:bd:1e:40:37:c2:8b:73:f3:68:47:
         4a:20:6e:9f:91:c1:7a:db:18:59:32:d7:9b:a8:1d:6f:e3:e9:
         47:3e:7f:18:54:de:3b:cd:e3:43:aa:51:55:18:0b:88:f6:a1:
         a9:0a:0b:1b:93:f5:b2:3b:b8:8d:7c:e0:29:ce:f7:b1:d2:ad:
         06:eb:59:17:31:b7:ae:9e:21:88:75:a4:59:77:40:d6:35:d0:
         a8:9f:52:72:21:2b:6a:26:bb:df:ed:18:93:94:d8:5d:ed:3a:
         38:6c:f4:65:96:1f:c0:3e:2d:ab:8e:14:b8:a9:74:bf:4e:8d:
         05:5c:0d:aa
</code>

Informação sobre datas de criação e expiração:
<code bash>
root@ca:/etc/pki/tls# openssl x509 -in ../CA/cacert.pem -noout -dates
notBefore=Jun  9 14:04:48 2016 GMT
notAfter=Jun  7 14:04:48 2026 GMT
</code>

Informação da finalidade do certificado:
<code bash>
root@ca:/etc/pki/tls# openssl x509 -in ../CA/cacert.pem -noout -purpose
Certificate purposes:
SSL client : Yes
SSL client CA : Yes
SSL server : Yes
SSL server CA : Yes
Netscape SSL server : Yes
Netscape SSL server CA : Yes
S/MIME signing : Yes
S/MIME signing CA : Yes
S/MIME encryption : Yes
S/MIME encryption CA : Yes
CRL signing : Yes
CRL signing CA : Yes
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : Yes
Time Stamp signing : No
Time Stamp signing CA : Yes
</code>

Agora que criamos o certificado raiz, podemos criar quantos certificados quisermos para nossas aplicações SSL, por exemplo, HTTPS, SMTPS, IMAPS, FTPS e outros. O procedimento envolve a criação de uma chave privada e uma requisição de certificado, além disto teremos de assinar a requisição para gerar o novo certificado. 

**Chave privada**
<code bash>
root@ca:/etc/pki/tls# ./misc/CA -newreq
Generating a 2048 bit RSA private key
..........................................................................................................+++
.....................................+++
writing new private key to 'newkey.pem'
Enter PEM pass phrase: <ENTRE COM UMA SENHA>
Verifying - Enter PEM pass phrase: <CONFIRME A SENHA>
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [BR]: <ENTER>
State or Province Name (full name) [Para]: <ENTER>
Locality Name (eg, city) [Maraba]: <ENTER>
Organization Name (eg, company) [Exemplo SA]: <ENTER>
Organizational Unit Name (eg, section) [Departamento de Informatica]: <ENTER>
Common Name (eg, your name or your server's hostname) []:ldap.exemplo.org <FQDN DO SERVIDOR ONDE O SERVIÇO IRÁ RODAR>
Email Address []:admin@exemplo.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <ENTER>
An optional company name []: <ENTER>
Request is in newreq.pem, private key is in newkey.pem <SENHA QUE FOI DEFINIDA>
</code>

Arquivos criados
<code bash>
root@ca:/etc/pki/tls# ls -la new*
-rw-r--r--. 1 root root 1834 Jun  9 11:27 newkey.pem
-rw-r--r--. 1 root root 1090 Jun  9 11:27 newreq.pem
</code>

Informações da requisição
<code bash>
root@ca:/etc/pki/tls# openssl req -in newreq.pem -text -verify -noout
verify OK
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=BR, ST=Para, L=Maraba, O=Exemplo SA, OU=Departamento de Informatica, CN=ldap.exemplo.org/emailAddress=admin@exemplo.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c2:3a:66:4e:9f:c1:25:d8:e9:25:88:db:37:fe:
                    83:9f:d4:08:51:34:fd:04:da:1a:2d:ef:1a:e0:7f:
                    13:98:91:63:4c:db:bc:35:f7:23:bc:c7:95:d7:75:
                    bf:40:7b:3e:64:f6:20:67:5b:c5:ab:20:00:9a:3b:
                    96:38:a8:9d:23:2d:f9:46:60:00:6a:2b:41:72:38:
                    d4:7d:04:6b:08:1d:cb:5e:6f:17:14:09:d6:f1:b5:
                    5d:2b:03:11:9c:f3:8f:af:bb:6a:84:f3:b6:b8:10:
                    03:1b:32:7f:14:b7:ba:42:ff:4b:80:32:b5:7e:5b:
                    67:5f:d5:28:12:88:16:87:e8:0d:8f:01:12:be:d5:
                    c8:42:38:d6:20:ec:df:93:61:8a:49:b0:a9:a6:41:
                    6a:77:7f:58:65:be:26:a6:8d:2b:60:0d:94:31:11:
                    3b:08:14:35:0a:da:01:ad:da:67:c7:b2:3a:81:ed:
                    55:2a:f6:02:e0:c1:86:0a:74:da:5c:81:6c:9f:61:
                    1c:aa:93:36:b2:b7:34:c2:21:55:f3:33:3f:a3:ed:
                    7d:34:16:35:ce:c7:76:43:97:f7:ae:02:84:d4:5a:
                    42:96:2a:93:ae:ba:b5:f2:68:6b:3a:e5:6f:2b:48:
                    52:30:b2:d7:4b:bd:bb:65:8a:8b:f4:44:f2:0a:c8:
                    64:6b
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         33:05:68:38:8c:66:52:ab:55:57:c4:45:67:6e:b2:db:6a:3b:
         f7:b8:bf:0b:b0:da:6e:49:cb:61:17:e7:15:46:fb:cd:9b:6e:
         33:41:65:b4:44:4c:52:8d:a7:12:2b:a8:08:ee:8a:45:0d:0a:
         ba:23:db:66:43:14:db:ca:58:04:8d:b4:b6:67:5d:98:e4:63:
         1b:3d:f0:4a:ae:a5:11:73:0a:b3:ff:01:1e:88:06:0c:31:c3:
         c2:30:fc:a5:35:75:86:45:97:76:4a:11:99:52:fe:9d:6f:2d:
         cd:2d:6d:eb:f8:c4:4b:93:cb:92:9b:54:96:d1:63:68:e4:e2:
         e6:36:04:57:15:36:69:5e:36:03:50:10:de:b9:75:86:bc:d3:
         24:e3:9a:e8:51:ad:58:83:c2:eb:f1:ff:00:5b:ca:54:95:b2:
         99:42:c7:01:37:25:93:82:2b:07:95:cc:19:7d:08:ec:96:2d:
         86:f4:1e:88:da:9b:33:53:ba:d0:e1:4f:bc:24:28:1a:65:ee:
         fc:df:63:d7:fb:2b:90:fc:be:26:af:d4:df:20:38:a7:9e:59:
         ae:57:d4:e6:f9:97:6d:9b:04:83:f8:b6:84:3a:7d:bb:96:31:
         51:33:00:71:fa:aa:99:53:3c:02:1e:4e:a2:18:76:a7:f2:64:
         9e:16:4b:78
</code>

**Assinando Certificado**
<code bash>
root@ca:/etc/pki/tls# ./misc/CA -sign
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem: <SENHA DA CHAVE>
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 11913230780213294171 (0xa5544c468ddcf45b)
        Validity
            Not Before: Jun  9 14:36:58 2016 GMT
            Not After : Jun  9 14:36:58 2017 GMT
        Subject:
            countryName               = BR
            stateOrProvinceName       = Para
            localityName              = Maraba
            organizationName          = Exemplo SA
            organizationalUnitName    = Departamento de Informatica
            commonName                = ldap.exemplo.org
            emailAddress              = admin@exemplo.org
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                37:DE:E3:36:73:1E:9E:07:05:2C:AE:48:90:5C:E6:51:A7:36:E5:56
            X509v3 Authority Key Identifier: 
                keyid:A0:72:7A:53:A2:B2:4B:56:93:B0:C0:22:69:82:B5:6F:EE:F8:E6:16

Certificate is to be certified until Jun  9 14:36:58 2017 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 11913230780213294171 (0xa5544c468ddcf45b)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=BR, ST=Para, O=Exemplo SA, OU=Departamento de Informatica, CN=ca.exemplo.org/emailAddress=admin@exemplo.org
        Validity
            Not Before: Jun  9 14:36:58 2016 GMT
            Not After : Jun  9 14:36:58 2017 GMT
        Subject: C=BR, ST=Para, L=Maraba, O=Exemplo SA, OU=Departamento de Informatica, CN=ldap.exemplo.org/emailAddress=admin@exemplo.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c2:3a:66:4e:9f:c1:25:d8:e9:25:88:db:37:fe:
                    83:9f:d4:08:51:34:fd:04:da:1a:2d:ef:1a:e0:7f:
                    13:98:91:63:4c:db:bc:35:f7:23:bc:c7:95:d7:75:
                    bf:40:7b:3e:64:f6:20:67:5b:c5:ab:20:00:9a:3b:
                    96:38:a8:9d:23:2d:f9:46:60:00:6a:2b:41:72:38:
                    d4:7d:04:6b:08:1d:cb:5e:6f:17:14:09:d6:f1:b5:
                    5d:2b:03:11:9c:f3:8f:af:bb:6a:84:f3:b6:b8:10:
                    03:1b:32:7f:14:b7:ba:42:ff:4b:80:32:b5:7e:5b:
                    67:5f:d5:28:12:88:16:87:e8:0d:8f:01:12:be:d5:
                    c8:42:38:d6:20:ec:df:93:61:8a:49:b0:a9:a6:41:
                    6a:77:7f:58:65:be:26:a6:8d:2b:60:0d:94:31:11:
                    3b:08:14:35:0a:da:01:ad:da:67:c7:b2:3a:81:ed:
                    55:2a:f6:02:e0:c1:86:0a:74:da:5c:81:6c:9f:61:
                    1c:aa:93:36:b2:b7:34:c2:21:55:f3:33:3f:a3:ed:
                    7d:34:16:35:ce:c7:76:43:97:f7:ae:02:84:d4:5a:
                    42:96:2a:93:ae:ba:b5:f2:68:6b:3a:e5:6f:2b:48:
                    52:30:b2:d7:4b:bd:bb:65:8a:8b:f4:44:f2:0a:c8:
                    64:6b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                37:DE:E3:36:73:1E:9E:07:05:2C:AE:48:90:5C:E6:51:A7:36:E5:56
            X509v3 Authority Key Identifier: 
                keyid:A0:72:7A:53:A2:B2:4B:56:93:B0:C0:22:69:82:B5:6F:EE:F8:E6:16

    Signature Algorithm: sha256WithRSAEncryption
         0b:58:13:52:3d:1a:0c:66:f1:3a:a7:86:81:4d:ae:29:bf:0d:
         6c:e0:c0:0d:77:16:6c:c6:07:dc:0c:88:29:ea:f8:f2:46:f4:
         69:f3:91:93:2a:b3:5f:fa:dd:d8:5b:80:fe:86:e9:88:41:9d:
         78:3f:4b:2a:9d:8e:e7:9d:ed:32:f4:e4:df:cf:58:7f:e9:28:
         01:df:a4:e2:ab:85:4f:5a:f1:f2:15:08:6a:b6:b5:9b:73:ff:
         2e:81:68:76:31:01:8d:da:ad:94:a0:02:82:5c:33:56:02:f9:
         44:3a:c0:c5:cd:97:95:b5:01:e6:15:38:f7:ac:ef:4a:bc:d5:
         8c:3f:26:a7:2d:63:3c:d0:7e:72:6b:4f:f1:d0:3a:49:75:58:
         e3:e4:88:dc:33:f4:3e:93:c9:2e:ba:e2:7a:c6:63:8f:d2:d3:
         3a:d9:0e:5f:3c:99:b8:46:10:c6:fd:98:55:cf:22:79:7e:ac:
         60:2d:60:6d:2d:0a:41:db:50:92:93:10:d3:0a:57:98:7d:8d:
         a3:22:12:9f:44:85:ff:e5:bd:b8:01:a9:8e:32:3d:56:71:ef:
         05:33:a5:86:0b:11:5e:c9:28:1e:99:f8:6e:21:46:59:38:b2:
         b1:5e:c4:19:7b:0b:93:5b:d2:1a:ec:d6:45:4e:9d:af:11:39:
         5d:b9:e1:f0
-----BEGIN CERTIFICATE-----
MIIENzCCAx+gAwIBAgIJAKVUTEaN3PRbMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYD
VQQGEwJCUjENMAsGA1UECAwEUGFyYTETMBEGA1UECgwKRXhlbXBsbyBTQTEkMCIG
A1UECwwbRGVwYXJ0YW1lbnRvIGRlIEluZm9ybWF0aWNhMRcwFQYDVQQDDA5jYS5l
eGVtcGxvLm9yZzEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhlbXBsby5vcmcwHhcN
MTYwNjA5MTQzNjU4WhcNMTcwNjA5MTQzNjU4WjCBpTELMAkGA1UEBhMCQlIxDTAL
BgNVBAgMBFBhcmExDzANBgNVBAcMBk1hcmFiYTETMBEGA1UECgwKRXhlbXBsbyBT
QTEkMCIGA1UECwwbRGVwYXJ0YW1lbnRvIGRlIEluZm9ybWF0aWNhMRkwFwYDVQQD
DBBsZGFwLmV4ZW1wbG8ub3JnMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGVtcGxv
Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMI6Zk6fwSXY6SWI
2zf+g5/UCFE0/QTaGi3vGuB/E5iRY0zbvDX3I7zHldd1v0B7PmT2IGdbxasgAJo7
ljionSMt+UZgAGorQXI41H0Eawgdy15vFxQJ1vG1XSsDEZzzj6+7aoTztrgQAxsy
fxS3ukL/S4AytX5bZ1/VKBKIFofoDY8BEr7VyEI41iDs35NhikmwqaZBand/WGW+
JqaNK2ANlDEROwgUNQraAa3aZ8eyOoHtVSr2AuDBhgp02lyBbJ9hHKqTNrK3NMIh
VfMzP6PtfTQWNc7HdkOX964ChNRaQpYqk666tfJoazrlbytIUjCy10u9u2WKi/RE
8grIZGsCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNT
TCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFDfe4zZzHp4HBSyuSJBc
5lGnNuVWMB8GA1UdIwQYMBaAFKByelOisktWk7DAImmCtW/u+OYWMA0GCSqGSIb3
DQEBCwUAA4IBAQALWBNSPRoMZvE6p4aBTa4pvw1s4MANdxZsxgfcDIgp6vjyRvRp
85GTKrNf+t3YW4D+humIQZ14P0sqnY7nne0y9OTfz1h/6SgB36Tiq4VPWvHyFQhq
trWbc/8ugWh2MQGN2q2UoAKCXDNWAvlEOsDFzZeVtQHmFTj3rO9KvNWMPyanLWM8
0H5ya0/x0DpJdVjj5IjcM/Q+k8kuuuJ6xmOP0tM62Q5fPJm4RhDG/ZhVzyJ5fqxg
LWBtLQpB21CSkxDTCleYfY2jIhKfRIX/5b24AamOMj1Wce8FM6WGCxFeySgemfhu
IUZZOLKxXsQZewuTW9Ia7NZFTp2vETldueHw
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
</code>

<code bash>
root@ca:/etc/pki/tls# ls -l new*
-rw-r--r--. 1 root root 4781 Jun  9 11:37 newcert.pem
-rw-r--r--. 1 root root 1834 Jun  9 11:27 newkey.pem
-rw-r--r--. 1 root root 1090 Jun  9 11:27 newreq.pem
</code>

<code bash>
root@ca:/etc/pki/tls# openssl x509 -in newcert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 11913230780213294171 (0xa5544c468ddcf45b)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=BR, ST=Para, O=Exemplo SA, OU=Departamento de Informatica, CN=ca.exemplo.org/emailAddress=admin@exemplo.org
        Validity
            Not Before: Jun  9 14:36:58 2016 GMT
            Not After : Jun  9 14:36:58 2017 GMT
        Subject: C=BR, ST=Para, L=Maraba, O=Exemplo SA, OU=Departamento de Informatica, CN=ldap.exemplo.org/emailAddress=admin@exemplo.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c2:3a:66:4e:9f:c1:25:d8:e9:25:88:db:37:fe:
                    83:9f:d4:08:51:34:fd:04:da:1a:2d:ef:1a:e0:7f:
                    13:98:91:63:4c:db:bc:35:f7:23:bc:c7:95:d7:75:
                    bf:40:7b:3e:64:f6:20:67:5b:c5:ab:20:00:9a:3b:
                    96:38:a8:9d:23:2d:f9:46:60:00:6a:2b:41:72:38:
                    d4:7d:04:6b:08:1d:cb:5e:6f:17:14:09:d6:f1:b5:
                    5d:2b:03:11:9c:f3:8f:af:bb:6a:84:f3:b6:b8:10:
                    03:1b:32:7f:14:b7:ba:42:ff:4b:80:32:b5:7e:5b:
                    67:5f:d5:28:12:88:16:87:e8:0d:8f:01:12:be:d5:
                    c8:42:38:d6:20:ec:df:93:61:8a:49:b0:a9:a6:41:
                    6a:77:7f:58:65:be:26:a6:8d:2b:60:0d:94:31:11:
                    3b:08:14:35:0a:da:01:ad:da:67:c7:b2:3a:81:ed:
                    55:2a:f6:02:e0:c1:86:0a:74:da:5c:81:6c:9f:61:
                    1c:aa:93:36:b2:b7:34:c2:21:55:f3:33:3f:a3:ed:
                    7d:34:16:35:ce:c7:76:43:97:f7:ae:02:84:d4:5a:
                    42:96:2a:93:ae:ba:b5:f2:68:6b:3a:e5:6f:2b:48:
                    52:30:b2:d7:4b:bd:bb:65:8a:8b:f4:44:f2:0a:c8:
                    64:6b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                37:DE:E3:36:73:1E:9E:07:05:2C:AE:48:90:5C:E6:51:A7:36:E5:56
            X509v3 Authority Key Identifier: 
                keyid:A0:72:7A:53:A2:B2:4B:56:93:B0:C0:22:69:82:B5:6F:EE:F8:E6:16

    Signature Algorithm: sha256WithRSAEncryption
         0b:58:13:52:3d:1a:0c:66:f1:3a:a7:86:81:4d:ae:29:bf:0d:
         6c:e0:c0:0d:77:16:6c:c6:07:dc:0c:88:29:ea:f8:f2:46:f4:
         69:f3:91:93:2a:b3:5f:fa:dd:d8:5b:80:fe:86:e9:88:41:9d:
         78:3f:4b:2a:9d:8e:e7:9d:ed:32:f4:e4:df:cf:58:7f:e9:28:
         01:df:a4:e2:ab:85:4f:5a:f1:f2:15:08:6a:b6:b5:9b:73:ff:
         2e:81:68:76:31:01:8d:da:ad:94:a0:02:82:5c:33:56:02:f9:
         44:3a:c0:c5:cd:97:95:b5:01:e6:15:38:f7:ac:ef:4a:bc:d5:
         8c:3f:26:a7:2d:63:3c:d0:7e:72:6b:4f:f1:d0:3a:49:75:58:
         e3:e4:88:dc:33:f4:3e:93:c9:2e:ba:e2:7a:c6:63:8f:d2:d3:
         3a:d9:0e:5f:3c:99:b8:46:10:c6:fd:98:55:cf:22:79:7e:ac:
         60:2d:60:6d:2d:0a:41:db:50:92:93:10:d3:0a:57:98:7d:8d:
         a3:22:12:9f:44:85:ff:e5:bd:b8:01:a9:8e:32:3d:56:71:ef:
         05:33:a5:86:0b:11:5e:c9:28:1e:99:f8:6e:21:46:59:38:b2:
         b1:5e:c4:19:7b:0b:93:5b:d2:1a:ec:d6:45:4e:9d:af:11:39:
         5d:b9:e1:f0
</code>

<code bash>
root@ca:/etc/pki/tls# openssl x509 -in newcert.pem -noout -dates
notBefore=Jun  9 14:36:58 2016 GMT
notAfter=Jun  9 14:36:58 2017 GMT
</code>

**Removendo a senha da chave privada**
<code bash>
# openssl rsa -in newkey.pem -out key.pem
Enter pass phrase for newkey.pem: <SENHA UTILIZADA PARA CRIAR A CHAVE>
</code>

**Arquivos a ser utilizado pelo serviço de rede**
<code bash>
root@ca:/etc/pki/tls# ls key.pem => chave privada
root@ca:/etc/pki/tls# ls newcert.pem  => chave pública assinada
root@ca:/etc/pki/tls# ls ../CA/cacert.pem => certificado raiz
</code>

Referências:
  - [[https://eriberto.pro.br/wiki/index.php?title=Autoridade_Certificadora_%28CA%29_com_o_OpenSSL]]
  - [[http://gutocarvalho.net/dokuwiki/doku.php/openssl_criando_raiz_ca]]