TEXT 5
SSL_Cert_creation.txt Guest on 26th June 2020 08:09:36 PM
  1. The following concerns creating SSL certificates for use with SSL servers;
  2. i.e., www, imap, ldap, etc.
  3.  
  4. x.509 certificates will/should be created in /infosys/x509.
  5. To enable this, you must use -config /infosys/x509/openssl.cnf in each of the
  6. below commands.
  7. As a result of using a centralized file (openssl.cnf), each certificate created
  8. will have the same signing authority (CA), which is our self-signed CA
  9. certificate.
  10. Also, to enable advanced features such as having 'alias' hostnames recognized
  11. by a certificate, you should edit /infosys/x509/openssl.cnf such that:
  12.         # This stuff is for subjectAltName and issuerAltname.
  13.         # Uncomment (and edit) for "aliases" the cert will recognize
  14.         subjectAltName=DNS:ldap.cs.caltech.edu, DNS:butterfish
  15. appropriately reflects the machine's name(s) for the X.509.
  16.  
  17.  
  18. In /infosys/x509:
  19. create a certificate request with an RSA key:
  20.         openssl req -config /infosys/x509/openssl.cnf -newkey rsa:1024 -keyout rsakey.pem -out req.pem
  21.         NOTE: make sure to state the FQDN of the server
  22.  
  23. revoke the pass phrase from the private RSA key (and output in PEM format):
  24.         openssl rsa -in rsakey.pem -out key.pem -outform PEM
  25.  
  26. Sign the certificate request:
  27.         openssl ca -in req.pem -extensions usr_cert -out newcert.pem
  28.  
  29. from this point, 'key.pem' will be the *null password* PRIVATE key file,
  30. and 'newcert.pem' will be the SSL server certificate.
  31.  
  32. If needed,
  33. generate a DH key-pair (the output message says that this takes a long time...
  34.                         ITS NOT KIDDING!!..about 20 minutes):
  35.         openssl dhparam -in rsakey.pem -outform PEM -out dhkeys.pem 1024
  36.  
  37. Put the results of all the above into a file whose name MAKES SENSE:
  38.         cat key.pem newcert.pem dhkeys.pem > server.pem
  39.  
  40. Copy the file to the server, and configure the server to look for it.
  41. Usually in a config file, it asks for the full path to the cert.
  42. Courier-IMAP's IMAP-SSL is in etc/imap-ssl.
  43. Different servers look for the certificate file in different places...
  44.  
  45.  
  46. REVOKATION:
  47.  
  48.         openssl ca -config /infosys/x509/openssl.cnf -revoke <certfile>
  49. will remove a certificate from the internal database of certs (index.txt).
  50.  
  51.         openssl ca -config /infosys/x509/openssl.cnf -gencrl
  52. will generate a new CRL based on the information in 'index.txt' and output to
  53. STDOUT.

Paste is for source code and general debugging text.

Login or Register to edit, delete and keep track of your pastes and more.

Raw Paste

Login or Register to edit or fork this paste. It's free.