[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: certificate server

----- Original Message ----- 
From: "Rick Moen" <rick@linuxmafia.com>
To: <debian-security@lists.debian.org>
Sent: Tuesday, November 04, 2003 10:23 AM
Subject: Re: certificate server

> We'll generate three files, and end up using two of them.  First, we
> generate the RSA keypair (client.key, which is in BASE64 PEM format,
> which is why the file often has a .pem filename extension).

The use of Client is confusing - you actually appear to be generating what I
would call a self-signed server certificate for installation on one specific
webserver. This is for authenticating this signel Server to clients that browse
your website using HTTPS.

A Client Certificate is installed in a client's browser, and authenticates the
Client to the server, so that you know who is browsing your server.

> Then, we generate a CSR = Certificate Signing Request file (client.csr),
> $ openssl  genrsa  -rand file1:file2[...]  -out client.key  1024
> You give several filespecs delimited by colons to give openssl enough
> entropy to work with.  We're omitting the "-des3" switch, which causes
> $ openssl  req  -new  -key client.key  -out client.csr
> You'll be prompted for several strings to build an X.500-style
> $ openssl  x509  -req  -days 730  -in client.csr  -signkey client.key  -out

All sounds good for a single self-signed server certificate, but you would not
want to do this if you have 10s of web servers.

We use our CA - ie Certificate Authority to sign the web server keys, as we have
lots of web servers. We then only have to get the Clients to trust our CA's
public key, and ALL the web server certs become trusted.

# Generate crypto keys
openssl genrsa -out /etc/apache/ssl/xxx.key 2048

# Create a Certificate Signing Request *
openssl req -new -key /etc/apache/ssl/xxx.key -out /etc/apache/ssl/xxx.csr

# Use our CA to issue a certificate
openssl ca -config /etc/ca/openssl.cnf -in /etc/apache/ssl/xxx.csr
  -out /etc/apache/ssl/xxx.crt -days 1825 -extensions server_crt

* Important that during CSR the Common Name match the web server name that
browsers will use: eg www.xxx.com otherwise clients will all display a warning
that the server certificate does not match the name of the server.



Reply to: