Using the local certificate authority
From Wikitech
(Difference between revisions)
| Line 41: | Line 41: | ||
<source lang=bash> | <source lang=bash> | ||
| − | openssl x509 -req -in csrs/<server>-<keyfunction>.csr -out certs/<server>-<keyfunction>. | + | openssl x509 -req -in csrs/<server>-<keyfunction>.csr -out certs/<server>-<keyfunction>.pem -CA ca.pem -CAkey ca.key -CAcreateserial -days 1825 |
</source> | </source> | ||
| Line 47: | Line 47: | ||
<source lang=bash> | <source lang=bash> | ||
| − | openssl pkcs12 -export -in certs/<server>-<keyfunction>. | + | openssl pkcs12 -export -in certs/<server>-<keyfunction>.pem -inkey keys/<server>-<keyfunction>.key -out p12s/<server>-<keyfunction>.p12 |
</source> | </source> | ||
| Line 55: | Line 55: | ||
<source lang=bash> | <source lang=bash> | ||
| − | tar -czvf bundles/<server>-<keyfunction>.tar.gz keys/<server>-<keyfunction>.key certs/<server>-<keyfunction>. | + | tar -czvf bundles/<server>-<keyfunction>.tar.gz keys/<server>-<keyfunction>.key certs/<server>-<keyfunction>.pem p12s/<server>-<keyfunction>.p12 |
</source> | </source> | ||
Revision as of 21:55, 28 December 2011
Contents |
Go to the CA directory
cd /etc/ca
Set your umask
umask 077Create a key for the server
openssl genrsa -out keys/<server>-<keyfunction>.key 2048
Create a certificate request
openssl req -new -key keys/<server>-<keyfunction>.key -out csrs/<server>-<keyfunction>.csr
Ensure you provide the following information to the above command:
Country Name (2 letter code) [US]: State or Province Name (full name) [California]: Locality Name (eg, city) [San Francisco]: Organization Name (eg, company) [Wikimedia Foundation]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:<fully.qualified.domain.name.of.server> Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Create the certificate
openssl x509 -req -in csrs/<server>-<keyfunction>.csr -out certs/<server>-<keyfunction>.pem -CA ca.pem -CAkey ca.key -CAcreateserial -days 1825
Create a PKCS12 certificate
openssl pkcs12 -export -in certs/<server>-<keyfunction>.pem -inkey keys/<server>-<keyfunction>.key -out p12s/<server>-<keyfunction>.p12
You can set a blank passphrase for the p12, but some things won't be able to import a p12 with a blank passphrase. Some simple default password is recommended. Guard the p12 as if you would a key, as the p12 is a bundle of the cert and the key. Don't assume the passphrase makes it safe!
Create a bundle for the server
tar -czvf bundles/<server>-<keyfunction>.tar.gz keys/<server>-<keyfunction>.key certs/<server>-<keyfunction>.pem p12s/<server>-<keyfunction>.p12
Encrypt the bundle for transport
pwgen <some-large-number> openssl bf -e -a -pass pass:<password-selected-from-pwgen> -in bundles/<server>-<keyfunction>.tar.gz -out bf/<server>-<keyfunction>.tar.gz.E
Decrypt the bundle on the target server
openssl bf -d -a -pass pass:<password-selected-from-pwgen> -in bundles/<server>-<keyfunction>.tar.gz.E -out bf/<server>-<keyfunction>.tar.gz
