Using the local certificate authority

Revision as of 20:52, 12 October 2010

Go to the CA directory

cd /etc/ca

Create a key for the server

openssl genrsa -out keys/<server>-<keyfunction>.key 2048

Create a certificate request

openssl req -new -key keys/<server>-<keyfunction>.key -out csrs/<server>-<keyfunction>.csr

Ensure you provide the following information to the above command:

Country Name (2 letter code) [US]:
State or Province Name (full name) [California]:
Locality Name (eg, city) [San Francisco]:
Organization Name (eg, company) [Wikimedia Foundation]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:<fully.qualified.domain.name.of.server>
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Create the certificate

openssl x509 -req -in csrs/<server>-<keyfunction>.csr -out certs/<server>-<keyfunction>.cert -CA ca.cert -CAkey ca.key -CAcreateserial -days 1825

Create a bundle for the server

tar -czvf bundles/<server>-<keyfunction>.tar.gz keys/<server>-<keyfunction>.key certs/<server>-<keyfunction>.cert

Encrypt the bundle for transport

pwgen <some-large-number>
openssl bf -e -a -pass pass:<password-selected-from-pwgen> -in bundles/<server>-<keyfunction>.tar.gz -out bf/<server>-<keyfunction>.tar.gz.E

Decrypt the bundle on the target server

openssl bf -d -a -pass pass:<password-selected-from-pwgen> -in bundles/<server>-<keyfunction>.tar.gz.E -out bf/<server>-<keyfunction>.tar.gz