Using the local certificate authority
From Wikitech
(Difference between revisions)
(Created page with '== Go to the CA directory == <source lang=bash> cd <...> </source> == Create a key for the server == <source lang=bash> openssl genrsa -out keys/<server>-<keyfunction>.key 204...') |
(→Create a certificate request) |
||
| Line 19: | Line 19: | ||
Ensure you provide the following information to the above command: | Ensure you provide the following information to the above command: | ||
| − | Country Name (2 letter code) [ | + | Country Name (2 letter code) [US]: |
| − | State or Province Name (full name) [ | + | State or Province Name (full name) [California]: |
| − | Locality Name (eg, city) []: | + | Locality Name (eg, city) [San Francisco]: |
| − | Organization Name (eg, company) [ | + | Organization Name (eg, company) [Wikimedia Foundation]: |
Organizational Unit Name (eg, section) []: | Organizational Unit Name (eg, section) []: | ||
Common Name (eg, YOUR name) []:<fully.qualified.domain.name.of.server> | Common Name (eg, YOUR name) []:<fully.qualified.domain.name.of.server> | ||
Revision as of 20:49, 12 October 2010
Contents |
Go to the CA directory
cd <...>
Create a key for the server
openssl genrsa -out keys/<server>-<keyfunction>.key 2048
Create a certificate request
openssl req -new -key keys/<server>-<keyfunction>.key -out csrs/<server>-<keyfunction>.csr
Ensure you provide the following information to the above command:
Country Name (2 letter code) [US]: State or Province Name (full name) [California]: Locality Name (eg, city) [San Francisco]: Organization Name (eg, company) [Wikimedia Foundation]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:<fully.qualified.domain.name.of.server> Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Create the certificate
openssl x509 -req -in csrs/<server>-<keyfunction>.csr -out certs/<server>-<keyfunction>.cert -CA ca.cert -CAkey ca.key -CAcreateserial -days 1825
Create a bundle for the server
pwgen <some-large-number> tar -czvf bundles/<server>-<keyfunction>.tar.gz keys/<server>-<keyfunction>.key certs/<server>-<keyfunction>.cert
Encrypt the bundle for transport
openssl bf -e -a -pass pass:<password-selected-from-pwgen> -in bundles/<server>-<keyfunction>.tar.gz -out bf/<server>-<keyfunction>.tar.gz.E
Decrypt the bundle on the target server
openssl bf -d -a -pass pass:<password-selected-from-pwgen> -in bundles/<server>-<keyfunction>.tar.gz.E -out bf/<server>-<keyfunction>.tar.gz
