Using the local certificate authority
From Wikitech
(Difference between revisions)
(Created page with '== Go to the CA directory == <source lang=bash> cd <...> </source> == Create a key for the server == <source lang=bash> openssl genrsa -out keys/<server>-<keyfunction>.key 204...') |
(→Go to the CA directory) |
||
| (7 intermediate revisions by one user not shown) | |||
| Line 2: | Line 2: | ||
<source lang=bash> | <source lang=bash> | ||
| − | cd < | + | cd /root/ca |
| + | </source> | ||
| + | |||
| + | == Set your umask == | ||
| + | |||
| + | <source lang=bash> | ||
| + | umask 077 | ||
</source> | </source> | ||
| Line 19: | Line 25: | ||
Ensure you provide the following information to the above command: | Ensure you provide the following information to the above command: | ||
| − | Country Name (2 letter code) [ | + | Country Name (2 letter code) [US]: |
| − | State or Province Name (full name) [ | + | State or Province Name (full name) [California]: |
| − | Locality Name (eg, city) []: | + | Locality Name (eg, city) [San Francisco]: |
| − | Organization Name (eg, company) [ | + | Organization Name (eg, company) [Wikimedia Foundation]: |
Organizational Unit Name (eg, section) []: | Organizational Unit Name (eg, section) []: | ||
Common Name (eg, YOUR name) []:<fully.qualified.domain.name.of.server> | Common Name (eg, YOUR name) []:<fully.qualified.domain.name.of.server> | ||
| Line 35: | Line 41: | ||
<source lang=bash> | <source lang=bash> | ||
| − | openssl x509 -req -in csrs/<server>-<keyfunction>.csr -out certs/<server>-<keyfunction>. | + | openssl x509 -req -in csrs/<server>-<keyfunction>.csr -out certs/<server>-<keyfunction>.pem -CA ca.pem -CAkey ca.key -CAcreateserial -days 1825 |
</source> | </source> | ||
| + | |||
| + | == Create a PKCS12 certificate == | ||
| + | |||
| + | <source lang=bash> | ||
| + | openssl pkcs12 -export -in certs/<server>-<keyfunction>.pem -inkey keys/<server>-<keyfunction>.key -out p12s/<server>-<keyfunction>.p12 | ||
| + | </source> | ||
| + | |||
| + | You ''can'' set a blank passphrase for the p12, but some things won't be able to import a p12 with a blank passphrase. Some simple default password is recommended. Guard the p12 as if you would a key, as the p12 is a bundle of the cert and the key. Don't assume the passphrase makes it safe! | ||
== Create a bundle for the server == | == Create a bundle for the server == | ||
<source lang=bash> | <source lang=bash> | ||
| − | + | tar -czvf bundles/<server>-<keyfunction>.tar.gz keys/<server>-<keyfunction>.key certs/<server>-<keyfunction>.pem p12s/<server>-<keyfunction>.p12 | |
| − | tar -czvf bundles/<server>-<keyfunction>.tar.gz keys/<server>-<keyfunction>.key certs/<server>-<keyfunction>. | + | |
</source> | </source> | ||
| Line 48: | Line 61: | ||
<source lang=bash> | <source lang=bash> | ||
| + | pwgen <some-large-number> | ||
openssl bf -e -a -pass pass:<password-selected-from-pwgen> -in bundles/<server>-<keyfunction>.tar.gz -out bf/<server>-<keyfunction>.tar.gz.E | openssl bf -e -a -pass pass:<password-selected-from-pwgen> -in bundles/<server>-<keyfunction>.tar.gz -out bf/<server>-<keyfunction>.tar.gz.E | ||
</source> | </source> | ||
Latest revision as of 13:37, 25 June 2012
Contents |
[edit] Go to the CA directory
cd /root/ca
[edit] Set your umask
umask 077[edit] Create a key for the server
openssl genrsa -out keys/<server>-<keyfunction>.key 2048
[edit] Create a certificate request
openssl req -new -key keys/<server>-<keyfunction>.key -out csrs/<server>-<keyfunction>.csr
Ensure you provide the following information to the above command:
Country Name (2 letter code) [US]: State or Province Name (full name) [California]: Locality Name (eg, city) [San Francisco]: Organization Name (eg, company) [Wikimedia Foundation]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:<fully.qualified.domain.name.of.server> Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
[edit] Create the certificate
openssl x509 -req -in csrs/<server>-<keyfunction>.csr -out certs/<server>-<keyfunction>.pem -CA ca.pem -CAkey ca.key -CAcreateserial -days 1825
[edit] Create a PKCS12 certificate
openssl pkcs12 -export -in certs/<server>-<keyfunction>.pem -inkey keys/<server>-<keyfunction>.key -out p12s/<server>-<keyfunction>.p12
You can set a blank passphrase for the p12, but some things won't be able to import a p12 with a blank passphrase. Some simple default password is recommended. Guard the p12 as if you would a key, as the p12 is a bundle of the cert and the key. Don't assume the passphrase makes it safe!
[edit] Create a bundle for the server
tar -czvf bundles/<server>-<keyfunction>.tar.gz keys/<server>-<keyfunction>.key certs/<server>-<keyfunction>.pem p12s/<server>-<keyfunction>.p12
[edit] Encrypt the bundle for transport
pwgen <some-large-number> openssl bf -e -a -pass pass:<password-selected-from-pwgen> -in bundles/<server>-<keyfunction>.tar.gz -out bf/<server>-<keyfunction>.tar.gz.E
[edit] Decrypt the bundle on the target server
openssl bf -d -a -pass pass:<password-selected-from-pwgen> -in bundles/<server>-<keyfunction>.tar.gz.E -out bf/<server>-<keyfunction>.tar.gz
