Difference between revisions of "Custom CA Certificate"
m (moved Certificates Custom CA to Custom CA Certificate over redirect: Revert, please do not change titles for sorting purposes. Please have a look at http://www.mediawiki.org/wiki/Help:Categories on sortkeys.) |
Unnilennium (talk | contribs) |
||
Line 2: | Line 2: | ||
Author: slords | Author: slords | ||
+ | updated: unnilennium (http://bugs.contribs.org/show_bug.cgi?id=1370) | ||
+ | == creating .csr and .key files == | ||
As root do the following: | As root do the following: | ||
Line 90: | Line 92: | ||
From here replace the <b>{domain}</b> tag with your Primary domain name. Also you will need to have all domains registered with your cacert.org account. This will create a certificate that includes all domains that exists on your sme box as both simple domain.com and wildcard *.domain.com. | From here replace the <b>{domain}</b> tag with your Primary domain name. Also you will need to have all domains registered with your cacert.org account. This will create a certificate that includes all domains that exists on your sme box as both simple domain.com and wildcard *.domain.com. | ||
+ | == obtain .crt file from cacert== | ||
*Paste the output into the cacert.org website and get your certificate | *Paste the output into the cacert.org website and get your certificate | ||
cat {domain}.csr | cat {domain}.csr | ||
+ | == configuring your sme with your new certificate== | ||
Then save your CA certificate in a file named ~/cacert/{domain}.crt | Then save your CA certificate in a file named ~/cacert/{domain}.crt | ||
Line 104: | Line 108: | ||
*and apply the changes | *and apply the changes | ||
− | signal-event | + | signal-event post-upgrade |
− | reboot | + | signal-event reboot |
Once you have created/installed this certificate then if the client has the cacert.org root certificate installed then they should be able to go to any domain on your box and not get a warning. | Once you have created/installed this certificate then if the client has the cacert.org root certificate installed then they should be able to go to any domain on your box and not get a warning. |
Revision as of 02:34, 23 September 2009
Extracted from: http://forums.contribs.org/index.php?topic=34624.0
Author: slords updated: unnilennium (http://bugs.contribs.org/show_bug.cgi?id=1370)
creating .csr and .key files
As root do the following:
mkdir ~/cacert cd ~/cacert
Make a file named cacert_csr_request
#!/usr/bin/perl use strict; use esmith::util; use esmith::ConfigDB; use esmith::DomainsDB; my $config = esmith::ConfigDB->open; my $domainsdb = esmith::DomainsDB->open_ro; my $domain = $config->get('DomainName')->value; my %domain_names = map { $_->{key} => 1 } grep { $_->key ne $domain } $domainsdb->domains; my @domains = ($domain, keys %domain_names); open(CONFIG, ">$domains[0].config") or die "Can't open openssl config file: $!"; print CONFIG "HOME = .\nRANDFILE = \$ENV::HOME/.rnd\n\n"; print CONFIG "[ req ]\ndefault_bits = 1024\ndistinguished_name = req_distinguished_name\n"; print CONFIG "req_extensions = v3_req\nprompt = no\n\n"; print CONFIG "[ req_distinguished_name ]\nCN = $domains[0]\n\n"; print CONFIG "[ v3_req ]\nbasicConstraints = CA:FALSE\nkeyUsage = nonRepudiation,digitalSignature,keyEncipherment\n"; print CONFIG "subjectAltName = critical,", join ",", map { "DNS:$_,DNS:*.$_" } @domains; print CONFIG "\n"; close(CONFIG) or die "Closing openssl config file reported: $!"; unless ( -f "$domains[0].key" ) { open(KEY, ">$domains[0].key") or die "Can't open key file: $!"; unless (open(SSL,"-|")) { exec("/usr/bin/openssl", qw(genrsa -rand), join(':', qw( /proc/apm /proc/cpuinfo /proc/dma /proc/filesystems /proc/interrupts /proc/ioports /proc/bus/pci/devices /proc/rtc /proc/uptime )), '1024') || die "can't exec program: $!"; } while (<SSL>) { print KEY $_; } close(SSL) or die "Closing openssl pipe reported: $!"; close(KEY) or die "Closing key file reported: $!"; } open(CSR, ">$domains[0].csr") or die "Can't open csr $!"; unless (open(SSL,"-|")) { exec("/usr/bin/openssl", qw(req -config), "$domains[0].config", qw(-new -key), "$domains[0].key", qw(-days 730 -set_serial), time()) || die "can't exec program: $!"; } while (<SSL>) { print CSR $_; } close(SSL) or die "Closing openssl pipe reported: $!"; close(CSR) or die "Closing csr file reported: $!";
- Change permissions
chmod u+x cacert_csr_request
- Execute the file
./cacert_csr_request
From here replace the {domain} tag with your Primary domain name. Also you will need to have all domains registered with your cacert.org account. This will create a certificate that includes all domains that exists on your sme box as both simple domain.com and wildcard *.domain.com.
obtain .crt file from cacert
- Paste the output into the cacert.org website and get your certificate
cat {domain}.csr
configuring your sme with your new certificate
Then save your CA certificate in a file named ~/cacert/{domain}.crt
- Copy to final location
cp {domain}.crt /home/e-smith/ssl.crt/{domain}.crt cp {domain}.key /home/e-smith/ssl.key/{domain}.key
- Configure SME database
config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt config setprop modSSL key /home/e-smith/ssl.key/{domain}.key
- and apply the changes
signal-event post-upgrade signal-event reboot
Once you have created/installed this certificate then if the client has the cacert.org root certificate installed then they should be able to go to any domain on your box and not get a warning.