Re: certificate server

To: debian-security@lists.debian.org
Subject: Re: certificate server
From: Rick Moen <rick@linuxmafia.com>
Date: Tue, 4 Nov 2003 02:23:03 -0800
Message-id: <[🔎] 20031104102303.GW8836@linuxmafia.com>
In-reply-to: <[🔎] 20031104094547.A88CB1F8FB@murphy.debian.org>
References: <[🔎] 200311041043390828.00153BBA@mail.home.ro> <[🔎] 20031104094547.A88CB1F8FB@murphy.debian.org>

Quoting Jeff (debian0309@aquabolt.com):

> If you understand how a CA works, then its easy peasy. If not, you
> will need to understand how a CA works it before you dive in.
> 
> The documentation is poor, and last I looked, there were not many
> examples - it seems to still have a whiff of the arcane.

Here are my notes on the subject, stored at
http://linuxmafia.com/~rick/linux-info/ssl-cert-self-signed :



See also:
http://www.thawte.com/support/server/apache/apache-vfaq.html
http://slacksite.com/apache/certificate.html

We'll generate three files, and end up using two of them.  First, we
generate the RSA keypair (client.key, which is in BASE64 PEM format,
which is why the file often has a .pem filename extension).

Then, we generate a CSR = Certificate Signing Request file (client.csr),
which associates the key with the organisation's identity (specified in
X.509 format, which is similar to LDAP/X.500), and could theoretically
be shipped off to Verisign or another Certificate Authority (CA) to be
digitally signed.  Last, we have Client purport to self-sign the CSR
file (in lieu of a CA), resulting in client.crt, the certificate file --
at which point client.csr can be discarded.  All of this is done with
the "openssl" binary.

And then Apache must be configured to use the two files, and restarted.
That's it.  So:

$ openssl  genrsa  -rand file1:file2[...]  -out client.key  1024

You give several filespecs delimited by colons to give openssl enough
entropy to work with.  We're omitting the "-des3" switch, which causes
the private key to be stored in symmetrically-encrypted form to protect
it against being stolen by shell users, the downside of which is Client
would have to supply the 3DES key to read the private key every time
Apache restarts.  Which is a _big_ downside, and is why almost nobody
ever does it.

$ openssl  req  -new  -key client.key  -out client.csr

You'll be prompted for several strings to build an X.500-style
Distinguished Name (two-letter country name, state, city, organisation,
Apache hostname, administrative e-mail address).  It's important that
the hostname match what's specified in httpd.conf, or users will get a
warning about the mismatch.

Now, you get to generate the actual cert, and decide how many days from
today's date it should expire.  (In this example, we say two years = 730.)

$ openssl  x509  -req  -days 730  -in client.csr  -signkey client.key  -out client.crt

Last, we find the SSLCertificatFile and SSLCertificateKeyFile lines in
httpd.conf, put the two client.* files in the indicated directories,
edit the two httpd.conf lines, save, and restart Apache.

-- 
Cheers,                             * Contributing Editor, Linux Gazette *
Rick Moen                       -*- See the Linux Gazette in its new home: -*-
rick@linuxmafia.com                       <http://linuxgazette.net/>

Reply to:

Follow-Ups:
- Re: certificate server
  - From: "Jeff" <debian0309@aquabolt.com>
- Re: certificate server
  - From: Henrik Andreasson <han@han.pp.se>

References:
- certificate server
  - From: "rico" <rico@home.ro>
- Re: certificate server
  - From: "Jeff" <debian0309@aquabolt.com>

Prev by Date: Security Shoes EN 345 S3
Next by Date: Re: certificate server
Previous by thread: Re: certificate server
Next by thread: Re: certificate server
Index(es):
- Date
- Thread