Research and Development Network

h1. Certificates

A bunch of services need a signed certificate.  In the interest of making those warning messages at least different, we are setting up a simple CA.  These file have been setup in root's homedirectory on @gryla.dev.ru.is@  This means that these are Ubuntu 12.04LTS specific directions.  Paths will vary for other flavors of linux.

Jabber clients in particular hate self-signed certificates.

h2. References

* How to Setup a CA http://pages.cs.wisc.edu/~zmiller/ca-howto/

h2. Generating the CA

Taken from the "How to Setup a CA" in the References.

h3. Setting up the defaults

* Adjust the standard defaults (Debian).

<pre>sudo su -

cd /etc/ssl

emacs /etc/ssl/openssl.cnf</pre>

* Change the section under "req_distinguished_name"

h3. Generate the keys and general setup

* Gen the key and set the passphrase.  (hint: evil cat, no capitals)

<pre>cd /etc/ssl

openssl genrsa -des3 -out private/cakey.pem 1024</pre>

* Self sign the cert

<pre>openssl req -new -x509 -days 3650 -key private/cakey.pem -out cacert.pem </pre>

** Common Name: ROOT CA

** Email: *leave this blank!!*

* Examine the cert

<pre>openssl x509 -noout -text -in cacert.pem</pre>

* Setup the directory structure and start files

<pre>mkdir -p /etc/ssl/newcert

echo "01" > /etc/ssl/serial

touch /etc/ssl/index.txt

perl -e "print int(rand(90)+10)" > rand

</pre>

h3. Generate a jabber host key and sign it

Note: these directions are incomplete because I'm trying out updated directions on star certificates at:

http://blog.bigdinosaur.org/openfire-and-ssl-slash-tls-certificates/

* Generate the key and signing requiest.  (no password)

<pre>openssl req -newkey rsa:1024 -keyout host_jabber.ru.is-key.pem -nodes -out host_jabber.ru.is-req.pem</pre>

* Now sign the key

<pre>openssl ca -out jabber.ru.is-crt.pem -infiles jabber.ru.is-req.pem</pre>

* Now convert the certificate to PKS#7 format

<pre>openssl crl2pkcs7 -nocrl -certfile jabber.ru.is-crt.pem -out jabber.ru.is-crt.p7b -certfile cacert.pem</pre>