Using the local certificate authority
From Wikitech
Contents |
Go to the CA directory
cd <...>
Create a key for the server
openssl genrsa -out keys/<server>-<keyfunction>.key 2048
Create a certificate request
openssl req -new -key keys/<server>-<keyfunction>.key -out csrs/<server>-<keyfunction>.csr
Ensure you provide the following information to the above command:
Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:San Francisco Organization Name (eg, company) [Internet Widgits Pty Ltd]:Wikimedia Foundation Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:<fully.qualified.domain.name.of.server> Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Create the certificate
openssl x509 -req -in csrs/<server>-<keyfunction>.csr -out certs/<server>-<keyfunction>.cert -CA ca.cert -CAkey ca.key -CAcreateserial -days 1825
Create a bundle for the server
pwgen <some-large-number> tar -czvf bundles/<server>-<keyfunction>.tar.gz keys/<server>-<keyfunction>.key certs/<server>-<keyfunction>.cert
Encrypt the bundle for transport
openssl bf -e -a -pass pass:<password-selected-from-pwgen> -in bundles/<server>-<keyfunction>.tar.gz -out bf/<server>-<keyfunction>.tar.gz.E
Decrypt the bundle on the target server
openssl bf -d -a -pass pass:<password-selected-from-pwgen> -in bundles/<server>-<keyfunction>.tar.gz.E -out bf/<server>-<keyfunction>.tar.gz
