Linux: ssl

[ Bloke.com || Linux || JavaScript || Java || Volleyball || Link Me ]
Free: [ Guestbook || MessageBot || Plugins || Counter || AusPrices || Advertise ]

Home - Linux - ssl

Create CA

First, install openssl-perl rpm (which gives you CA.pl). Now

[root@localhost ca]# /etc/pki/tls/misc/CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
................++++++
..++++++
writing new private key to '../../CA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:New York
Locality Name (eg, city) [Newbury]:New York
Organization Name (eg, company) [My Company Ltd]:Acme
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:acme.com
Email Address []:public@acme.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            89:4e:b4:bb:32:3d:1b:6b
        Validity
            Not Before: Feb  9 11:09:58 2008 GMT
            Not After : Feb  8 11:09:58 2011 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = New York
            organizationName          = Acme
            commonName                = acme.com
            emailAddress              = public@acme.com
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                49:96:78:FE:7D:8B:E1:23:88:EB:7E:BD:E8:3A:11:1D:3B:0A:9B:43
            X509v3 Authority Key Identifier:
                keyid:49:96:78:FE:7D:8B:E1:23:88:EB:7E:BD:E8:3A:11:1D:3B:0A:9B:43
                DirName:/C=US/ST=New York/O=Acme/CN=acme.com/emailAddress=public@acme.com
                serial:89:4E:B4:BB:32:3D:1B:6B

            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Feb  8 11:09:58 2011 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

Create SSL cert for web server

$ openssl genrsa  -out secure.acme.com.key 1024
Generating RSA private key, 1024 bit long modulus
.++++++
..........................................++++++
e is 65537 (0x10001)

user@localhost /e/Apache2/conf/ssl.key
$ openssl req -new -key secure.acme.com.key -out secure.acme.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Acme
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:secure.acme.com
Email Address []:public@acme.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Sign the requet

user@localhost /e/Apache2/conf/ssl.key
$ openssl ca -in secure.acme.com.csr -out secure.acme.com.crt

copy secure.acme.com.crt to the apache ssl.crt directory
configure apache to point to the domain.crt and domain.key files
How to import the CA certificate
copy cacert.pem from CA/cacert.pem onto web server as cacert.crt ensure that there is line
AddType application/x-x509-ca-cert .crt
Have browser goto that certificate. eg https://secure.acme.com/cacert.crt Click "Trust this CA to identify web sites." (well, just click all three. Do you trust it or not? Your are the one that just made it!).
Generate wild card cerificate
Enter *.acme.com into the common name when requested.
$ openssl genrsa -out star.acme.com.key 1024 $ openssl req -new -key star.acme.com.key -out star.acme.com.csr -days 3650

Todo:
Links

http://www.onlamp.com/pub/a/onlamp/2003/02/06/linuxhacks.html
http://www.rapidssl.com/ssl-certificate-support/generate-csr/apache_mod_ssl.htm
http://www.justinsamuel.com/2006/03/11/howto-create-a-self-signed-wildcard-ssl-certificate/

Last Change: Saturday, 09-Feb-2008 10:20:03 EST
Disclaimer
The information provided within these pages is provided AS IS, and without any warranty. Following these directions may (but not limited to) crash your computer, delete all the information on your hard disk, open up security holes or cause your house to burn down. I made these pages to provide some information about the setup that I have done, but I did not proofread it for correctness, and in most cases did not test it. There are commands in these pages that would definately delete or corrupt all the data on your computer (especially the dualboot section). In fact it happened to me.... So you are on your own!

Cameron Gregory