Using the local certificate authority
From Wikitech
Contents |
Go to the CA directory
cd /etc/ca
Create a key for the server
openssl genrsa -out keys/<server>-<keyfunction>.key 2048
Create a certificate request
openssl req -new -key keys/<server>-<keyfunction>.key -out csrs/<server>-<keyfunction>.csr
Ensure you provide the following information to the above command:
Country Name (2 letter code) [US]: State or Province Name (full name) [California]: Locality Name (eg, city) [San Francisco]: Organization Name (eg, company) [Wikimedia Foundation]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:<fully.qualified.domain.name.of.server> Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Create the certificate
openssl x509 -req -in csrs/<server>-<keyfunction>.csr -out certs/<server>-<keyfunction>.cert -CA ca.cert -CAkey ca.key -CAcreateserial -days 1825
Create a bundle for the server
pwgen <some-large-number> tar -czvf bundles/<server>-<keyfunction>.tar.gz keys/<server>-<keyfunction>.key certs/<server>-<keyfunction>.cert
Encrypt the bundle for transport
openssl bf -e -a -pass pass:<password-selected-from-pwgen> -in bundles/<server>-<keyfunction>.tar.gz -out bf/<server>-<keyfunction>.tar.gz.E
Decrypt the bundle on the target server
openssl bf -d -a -pass pass:<password-selected-from-pwgen> -in bundles/<server>-<keyfunction>.tar.gz.E -out bf/<server>-<keyfunction>.tar.gz
