Difference between revisions of "Custom CA Certificate"

From SME Server
Jump to navigationJump to search
(Undo revision 15309 by Unnilennium (Talk))
Line 19: Line 19:
 
  use esmith::ConfigDB;
 
  use esmith::ConfigDB;
 
  use esmith::DomainsDB;
 
  use esmith::DomainsDB;
 +
 +
# variable to edit
 +
my $keycrypt = 2048;
 +
my $KEYLIFEINDAYS = 730;
 +
my $COUNTRYCODE = "US";  ## <===================== change to your country code !
 +
# end of modifications
 
   
 
   
 
  my $config  = esmith::ConfigDB->open;
 
  my $config  = esmith::ConfigDB->open;
Line 30: Line 36:
 
  open(CONFIG, ">$domains[0].config") or die "Can't open openssl config file: $!";
 
  open(CONFIG, ">$domains[0].config") or die "Can't open openssl config file: $!";
 
  print CONFIG "HOME = .\nRANDFILE = \$ENV::HOME/.rnd\n\n";
 
  print CONFIG "HOME = .\nRANDFILE = \$ENV::HOME/.rnd\n\n";
  print CONFIG "[ req ]\ndefault_bits = 1024\ndistinguished_name = req_distinguished_name\n";
+
  print CONFIG "[ req ]\ndefault_bits = $keycrypt\ndistinguished_name = req_distinguished_name\n";
 
  # if you need a SHA1 csr, uncomment the following row
 
  # if you need a SHA1 csr, uncomment the following row
 
  #print CONFIG "default_md  = sha1\n";
 
  #print CONFIG "default_md  = sha1\n";
 
  print CONFIG "req_extensions = v3_req\nprompt = no\n\n";
 
  print CONFIG "req_extensions = v3_req\nprompt = no\n\n";
  print CONFIG "[ req_distinguished_name ]\nCN = $domains[0]\n\n";
+
  print CONFIG "[ req_distinguished_name ]\nCN = $domains[0]\n";
 +
print CONFIG "countryName = $COUNTRYCODE\n";
 
  print CONFIG "[ v3_req ]\nbasicConstraints = CA:FALSE\nkeyUsage = nonRepudiation,digitalSignature,keyEncipherment\n";
 
  print CONFIG "[ v3_req ]\nbasicConstraints = CA:FALSE\nkeyUsage = nonRepudiation,digitalSignature,keyEncipherment\n";
 
  print CONFIG "subjectAltName = critical,", join ",", map { "DNS:$_,DNS:*.$_" } @domains;
 
  print CONFIG "subjectAltName = critical,", join ",", map { "DNS:$_,DNS:*.$_" } @domains;
 
  print CONFIG "\n";
 
  print CONFIG "\n";
 
  close(CONFIG) or die "Closing openssl config file reported: $!";
 
  close(CONFIG) or die "Closing openssl config file reported: $!";
 +
 
   
 
   
 
  unless ( -f "$domains[0].key" )
 
  unless ( -f "$domains[0].key" )
Line 59: Line 67:
 
                 /proc/uptime
 
                 /proc/uptime
 
                 )),
 
                 )),
             '1024')
+
             $keycrypt)
 
             || die "can't exec program: $!";
 
             || die "can't exec program: $!";
 
     }
 
     }
Line 76: Line 84:
 
         qw(req -config), "$domains[0].config",
 
         qw(req -config), "$domains[0].config",
 
         qw(-new -key), "$domains[0].key",
 
         qw(-new -key), "$domains[0].key",
         qw(-days 730 -set_serial), time())
+
         qw(-days $KEYLIFEINDAYS -set_serial), time())
 
         || die "can't exec program: $!";
 
         || die "can't exec program: $!";
 
  }
 
  }
Line 87: Line 95:
  
  
 +
* modify the 3 variables in the script according to your needs
 +
# variable to edit
 +
my $keycrypt = 2048; #<= must be a 1024 multiple; some CA authorities ask for at least 2048
 +
my $KEYLIFEINDAYS = 730; # <= validity of the Certificate in days must be greater (or at least equal)than the validity of the one you are buying
 +
my $COUNTRYCODE = "US";  ## <===================== change to your country code !
 +
# end of modifications
  
 
*Change permissions
 
*Change permissions
Line 95: Line 109:
  
 
From here replace the <b>{domain}</b> tag with your Primary domain name. Also you will need to have all domains registered with your cacert.org account. This will create a certificate that includes all domains that exists on your sme box as both simple domain.com and wildcard *.domain.com.
 
From here replace the <b>{domain}</b> tag with your Primary domain name. Also you will need to have all domains registered with your cacert.org account. This will create a certificate that includes all domains that exists on your sme box as both simple domain.com and wildcard *.domain.com.
 +
 +
===footnotes===
 +
 +
This script is helpful but incomplete. Some configurations info are missing in order to obtain a cert from some CA Authorities (http://www.flatmtn.com/article/setting-openssl-create-certificates) .Some of the information needed are missing in the smeserver database like countrycode you have to insert them in the code for the moment...
  
 
== obtain .crt file from cacert==
 
== obtain .crt file from cacert==

Revision as of 20:41, 21 January 2011

Extracted from: http://forums.contribs.org/index.php?topic=34624.0

Author: slords

updated: unnilennium (http://bugs.contribs.org/show_bug.cgi?id=1370)

creating .csr and .key files

As root do the following:

mkdir ~/cacert
cd ~/cacert 

Make a file named cacert_csr_request

#!/usr/bin/perl

use strict;
use esmith::util;
use esmith::ConfigDB;
use esmith::DomainsDB;

# variable to edit
my $keycrypt = 2048;
my $KEYLIFEINDAYS = 730;
my $COUNTRYCODE = "US";  ## <===================== change to your country code !
# end of modifications

my $config   = esmith::ConfigDB->open;
my $domainsdb = esmith::DomainsDB->open_ro;

my $domain = $config->get('DomainName')->value;
my %domain_names = map { $_->{key} => 1 } grep { $_->key ne $domain } $domainsdb->domains;

my @domains = ($domain, keys %domain_names);

open(CONFIG, ">$domains[0].config") or die "Can't open openssl config file: $!";
print CONFIG "HOME = .\nRANDFILE = \$ENV::HOME/.rnd\n\n";
print CONFIG "[ req ]\ndefault_bits = $keycrypt\ndistinguished_name = req_distinguished_name\n";
# if you need a SHA1 csr, uncomment the following row
#print CONFIG "default_md  = sha1\n";
print CONFIG "req_extensions = v3_req\nprompt = no\n\n";
print CONFIG "[ req_distinguished_name ]\nCN = $domains[0]\n";
print CONFIG "countryName = $COUNTRYCODE\n";
print CONFIG "[ v3_req ]\nbasicConstraints = CA:FALSE\nkeyUsage = nonRepudiation,digitalSignature,keyEncipherment\n";
print CONFIG "subjectAltName = critical,", join ",", map { "DNS:$_,DNS:*.$_" } @domains;
print CONFIG "\n";
close(CONFIG) or die "Closing openssl config file reported: $!";


unless ( -f "$domains[0].key" )
{
    open(KEY, ">$domains[0].key") or die "Can't open key file: $!";
    unless (open(SSL,"-|"))
    {
        exec("/usr/bin/openssl",
            qw(genrsa -rand),
            join(':',
            qw(
                /proc/apm
                /proc/cpuinfo
                /proc/dma
                /proc/filesystems
                /proc/interrupts
                /proc/ioports
                /proc/bus/pci/devices
                /proc/rtc
                /proc/uptime
                )),
            $keycrypt)
            || die "can't exec program: $!";
    }
    while (<SSL>)
    {
        print KEY $_;
    }
    close(SSL) or die "Closing openssl pipe reported: $!";
    close(KEY) or die "Closing key file reported: $!";
}

open(CSR, ">$domains[0].csr") or die "Can't open csr $!";
unless (open(SSL,"-|"))
{
    exec("/usr/bin/openssl",
        qw(req -config), "$domains[0].config",
        qw(-new -key), "$domains[0].key",
        qw(-days $KEYLIFEINDAYS -set_serial), time())
        || die "can't exec program: $!";
}
while (<SSL>)
{
    print CSR $_;
}
close(SSL) or die "Closing openssl pipe reported: $!";
close(CSR) or die "Closing csr file reported: $!";


  • modify the 3 variables in the script according to your needs
# variable to edit
my $keycrypt = 2048; #<= must be a 1024 multiple; some CA authorities ask for at least 2048
my $KEYLIFEINDAYS = 730; # <= validity of the Certificate in days must be greater (or at least equal)than the validity of the one you are buying
my $COUNTRYCODE = "US";  ## <===================== change to your country code !
# end of modifications
  • Change permissions
chmod u+x cacert_csr_request
  • Execute the file
./cacert_csr_request

From here replace the {domain} tag with your Primary domain name. Also you will need to have all domains registered with your cacert.org account. This will create a certificate that includes all domains that exists on your sme box as both simple domain.com and wildcard *.domain.com.

footnotes

This script is helpful but incomplete. Some configurations info are missing in order to obtain a cert from some CA Authorities (http://www.flatmtn.com/article/setting-openssl-create-certificates) .Some of the information needed are missing in the smeserver database like countrycode you have to insert them in the code for the moment...

obtain .crt file from cacert

  • Paste the output into the cacert.org website and get your certificate
cat {domain}.csr

configuring your sme with your new certificate

Then save your CA certificate in a file named ~/cacert/{domain}.crt

  • Copy to final location
cp {domain}.crt /home/e-smith/ssl.crt/{domain}.crt 
cp {domain}.key /home/e-smith/ssl.key/{domain}.key

you might have to add an Intermediate certificate from the SSL authority

cp {CA}.crt /home/e-smith/ssl.crt/{CA}.crt
  • Configure SME database
config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
config setprop modSSL key /home/e-smith/ssl.key/{domain}.key

If you have to add an Intermediate certificate from the SSL authority

config setprop modSSL CertificateChainFile /home/e-smith/ssl.crt/{CA}.crt
  • and apply the changes
signal-event post-upgrade
signal-event reboot

Once you have created/installed this certificate then if the client has the cacert.org root certificate installed then they should be able to go to any domain on your box and not get a warning.