Certificates¶

A bunch of services need a signed certificate. In the interest of making those warning messages at least different, we are setting up a simple CA. These file have been setup in root's homedirectory on gryla.dev.ru.is This means that these are Ubuntu 12.04LTS specific directions. Paths will vary for other flavors of linux.

Jabber clients in particular hate self-signed certificates.

References¶

How to Setup a CA http://pages.cs.wisc.edu/~zmiller/ca-howto/

Generating the CA¶

Taken from the "How to Setup a CA" in the References.

Setting up the defaults¶

Adjust the standard defaults (Debian).

sudo su -
cd /etc/ssl
emacs /etc/ssl/openssl.cnf

Change the section under "req_distinguished_name"

Generate the keys and general setup¶

Gen the key and set the passphrase. (hint: evil cat, no capitals)
```
cd /etc/ssl
openssl genrsa -des3 -out private/cakey.pem 1024
```

Self sign the cert

openssl req -new -x509 -days 3650 -key private/cakey.pem -out cacert.pem

Common Name: ROOT CA
Email: leave this blank!!

Examine the cert

openssl x509 -noout -text -in cacert.pem

Setup the directory structure and start files

mkdir -p /etc/ssl/newcert
echo "01" > /etc/ssl/serial
touch /etc/ssl/index.txt
perl -e "print int(rand(90)+10)" > rand

Generate a jabber host key and sign it¶

Note: these directions are incomplete because I'm trying out updated directions on star certificates at:
http://blog.bigdinosaur.org/openfire-and-ssl-slash-tls-certificates/

Generate the key and signing requiest. (no password)

openssl req -newkey rsa:1024 -keyout host_jabber.ru.is-key.pem -nodes -out host_jabber.ru.is-req.pem

Now sign the key

openssl ca -out jabber.ru.is-crt.pem -infiles jabber.ru.is-req.pem

Now convert the certificate to PKS#7 format

openssl crl2pkcs7 -nocrl -certfile jabber.ru.is-crt.pem -out jabber.ru.is-crt.p7b -certfile cacert.pem

Files (0)

Updated by Joseph Foley over 9 years ago · 1 revisions

Project

General

Profile

Research and Development Network