3,704
edits
Changes
Jump to navigation
Jump to search
mLine 1:
Line 1: − Extracted from: http://forums.contribs.org/index.php?topic=34624.0+ + + − Author: slords + + + + + + + + + + Line 8:
Line 19: − Make a file named <b>cacert_csr_request</b>+ + + Line 16:
Line 29: + + + + + + Line 27:
Line 46: − + + + − + + + Line 54:
Line 77: − '1024') + Line 71:
Line 94: − + Line 81:
Line 104: + + + + + + + Line 90:
Line 120: − + + + + + + + + Line 98:
Line 135: + + + + + + − + − + + + + + + + + + + +
Add Ctegory security and note
{{usefulnote}}
== Introduction ==
From [http://en.wikipedia.org/wiki/CAcert.org wikipedia]
<nowiki>
CAcert.org is a community-driven certificate authority that issues free public key certificates to the public (unlike other certificate authorities which are commercial and sell certificates). CAcert has over 200,000 verified users and has issued nearly 800,000 certificates as of January 2012. These certificates can be used to digitally sign and encrypt email, authenticate and authorize users connecting to websites and secure data transmission over the Internet. Any application that supports the Secure Socket Layer (SSL) can make use of certificates signed by CAcert, as can any application that uses X.509 certificates, e.g. for encryption or code signing and document signatures.
</nowiki>
== Prerequisites ==
* An account on cacert.org
** Your domain(s) registered on your CAcert.org account
== creating .csr and .key files ==
As root do the following:
As root do the following:
cd ~/cacert
cd ~/cacert
* Create a file named cacert_csr_request
nano -w cacert_csr_request
#!/usr/bin/perl
#!/usr/bin/perl
use esmith::ConfigDB;
use esmith::ConfigDB;
use esmith::DomainsDB;
use esmith::DomainsDB;
# variable to edit
my $keycrypt = 2048;
my $KEYLIFEINDAYS = 730;
my $COUNTRYCODE = "US"; ## <===================== change to your country code !
# end of modifications
my $config = esmith::ConfigDB->open;
my $config = esmith::ConfigDB->open;
open(CONFIG, ">$domains[0].config") or die "Can't open openssl config file: $!";
open(CONFIG, ">$domains[0].config") or die "Can't open openssl config file: $!";
print CONFIG "HOME = .\nRANDFILE = \$ENV::HOME/.rnd\n\n";
print CONFIG "HOME = .\nRANDFILE = \$ENV::HOME/.rnd\n\n";
print CONFIG "[ req ]\ndefault_bits = 1024\ndistinguished_name = req_distinguished_name\n";
print CONFIG "[ req ]\ndefault_bits = $keycrypt\ndistinguished_name = req_distinguished_name\n";
# if you need a SHA1 csr, uncomment the following row
#print CONFIG "default_md = sha1\n";
print CONFIG "req_extensions = v3_req\nprompt = no\n\n";
print CONFIG "req_extensions = v3_req\nprompt = no\n\n";
print CONFIG "[ req_distinguished_name ]\nCN = $domains[0]\n\n";
print CONFIG "[ req_distinguished_name ]\nCN = $domains[0]\n";
print CONFIG "countryName = $COUNTRYCODE\n";
print CONFIG "[ v3_req ]\nbasicConstraints = CA:FALSE\nkeyUsage = nonRepudiation,digitalSignature,keyEncipherment\n";
print CONFIG "[ v3_req ]\nbasicConstraints = CA:FALSE\nkeyUsage = nonRepudiation,digitalSignature,keyEncipherment\n";
print CONFIG "subjectAltName = critical,", join ",", map { "DNS:$_,DNS:*.$_" } @domains;
print CONFIG "subjectAltName = critical,", join ",", map { "DNS:$_,DNS:*.$_" } @domains;
print CONFIG "\n";
print CONFIG "\n";
close(CONFIG) or die "Closing openssl config file reported: $!";
close(CONFIG) or die "Closing openssl config file reported: $!";
unless ( -f "$domains[0].key" )
unless ( -f "$domains[0].key" )
/proc/uptime
/proc/uptime
)),
)),
$keycrypt)
|| die "can't exec program: $!";
|| die "can't exec program: $!";
}
}
qw(req -config), "$domains[0].config",
qw(req -config), "$domains[0].config",
qw(-new -key), "$domains[0].key",
qw(-new -key), "$domains[0].key",
qw(-days 730 -set_serial), time())
qw(-days $KEYLIFEINDAYS -set_serial), time())
|| die "can't exec program: $!";
|| die "can't exec program: $!";
}
}
close(CSR) or die "Closing csr file reported: $!";
close(CSR) or die "Closing csr file reported: $!";
* modify the 3 variables in the script according to your needs
# variable to edit
my $keycrypt = 2048; #<= must be a 1024 multiple; some CA authorities ask for at least 2048
my $KEYLIFEINDAYS = 730; # <= validity of the Certificate in days must be greater (or at least equal)than the validity of the one you are buying
my $COUNTRYCODE = "US"; ## <===================== change to your country code !
# end of modifications
*Change permissions
*Change permissions
From here replace the <b>{domain}</b> tag with your Primary domain name. Also you will need to have all domains registered with your cacert.org account. This will create a certificate that includes all domains that exists on your sme box as both simple domain.com and wildcard *.domain.com.
From here replace the <b>{domain}</b> tag with your Primary domain name. Also you will need to have all domains registered with your cacert.org account. This will create a certificate that includes all domains that exists on your sme box as both simple domain.com and wildcard *.domain.com.
*Paste the output into the cacert.org website and get your certificate
===footnotes===
This script is helpful but incomplete. Some configurations info are missing in order to obtain a cert from some CA Authorities (http://www.flatmtn.com/article/setting-openssl-create-certificates) .Some of the information needed are missing in the smeserver database like countrycode you have to insert them in the code for the moment...
== obtain .crt file from cacert==
*Log into you account on the cacert.org and Add your FQDN under domains
*and paste the output of the belowcommand under new server certificate
cat {domain}.csr
cat {domain}.csr
== configuring your sme with your new certificate==
Then save your CA certificate in a file named ~/cacert/{domain}.crt
Then save your CA certificate in a file named ~/cacert/{domain}.crt
cp {domain}.crt /home/e-smith/ssl.crt/{domain}.crt
cp {domain}.crt /home/e-smith/ssl.crt/{domain}.crt
cp {domain}.key /home/e-smith/ssl.key/{domain}.key
cp {domain}.key /home/e-smith/ssl.key/{domain}.key
you might have to add an Intermediate certificate from the SSL authority
cp {CA}.crt /home/e-smith/ssl.crt/{CA}.crt
*Configure SME database
*Configure SME database
config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
config setprop modSSL key /home/e-smith/ssl.key/{domain}.key
config setprop modSSL key /home/e-smith/ssl.key/{domain}.key
If you have to add an Intermediate certificate from the SSL authority
config setprop modSSL CertificateChainFile /home/e-smith/ssl.crt/{CA}.crt
*and apply the changes
*and apply the changes
signal-event console-save
signal-event post-upgrade
reboot
signal-event reboot
or if you do not want to reboot your server:
signal-event domain-modify
signal-event email-update
Once you have created/installed this certificate then if the client has the cacert.org root certificate installed then they should be able to go to any domain on your box and not get a warning.
Once you have created/installed this certificate then if the client has the cacert.org root certificate installed then they should be able to go to any domain on your box and not get a warning.
== References ==
* Extracted from: http://forums.contribs.org/index.php?topic=34624.0 (slords)
* http://bugs.contribs.org/show_bug.cgi?id=1370 (unnilennium)
----
----
[[Category:Howto]]
[[Category:Howto]]
[[Category:Administration:Certificates]]
[[Category:Security]]