3,704
edits
Changes
Jump to navigation
Jump to search
mLine 1:
Line 1: − Extracted from: http://forums.contribs.org/index.php?topic=34624.0+ + + − Author: slords − updated: unnilennium (http://bugs.contribs.org/show_bug.cgi?id=1370)+ + + + + + + + Line 11:
Line 19: − Make a file named <b>cacert_csr_request</b>+ + + Line 21:
Line 31: − + − + − + Line 46:
Line 56: + Line 94:
Line 105: + + + + + + − − * change the variable values you need ! Line 105:
Line 120: − + − this script is helpfull but incomplete. Some configuratiosn info are missing in order to obtain a cert from some CA authorities (http://www.flatmtn.com/article/setting-openssl-create-certificates) .Some of the informations must are missing in the smeserver database like countrycode ...+ − + + Line 133:
Line 149: + + + + + + + + +
Add Ctegory security and note
{{usefulnote}}
== Introduction ==
From [http://en.wikipedia.org/wiki/CAcert.org wikipedia]
<nowiki>
CAcert.org is a community-driven certificate authority that issues free public key certificates to the public (unlike other certificate authorities which are commercial and sell certificates). CAcert has over 200,000 verified users and has issued nearly 800,000 certificates as of January 2012. These certificates can be used to digitally sign and encrypt email, authenticate and authorize users connecting to websites and secure data transmission over the Internet. Any application that supports the Secure Socket Layer (SSL) can make use of certificates signed by CAcert, as can any application that uses X.509 certificates, e.g. for encryption or code signing and document signatures.
</nowiki>
== Prerequisites ==
* An account on cacert.org
** Your domain(s) registered on your CAcert.org account
== creating .csr and .key files ==
== creating .csr and .key files ==
cd ~/cacert
cd ~/cacert
* Create a file named cacert_csr_request
nano -w cacert_csr_request
#!/usr/bin/perl
#!/usr/bin/perl
# variable to edit
# variable to edit
my keycrypt = 2048;
my $keycrypt = 2048;
my KEYLIFEINDAYS = 730;
my $KEYLIFEINDAYS = 730;
my COUNTRYCODE = US; ## <====== change to your country code !
my $COUNTRYCODE = "US"; ## <===================== change to your country code !
# end of modifications
# end of modifications
print CONFIG "\n";
print CONFIG "\n";
close(CONFIG) or die "Closing openssl config file reported: $!";
close(CONFIG) or die "Closing openssl config file reported: $!";
unless ( -f "$domains[0].key" )
unless ( -f "$domains[0].key" )
* modify the 3 variables in the script according to your needs
# variable to edit
my $keycrypt = 2048; #<= must be a 1024 multiple; some CA authorities ask for at least 2048
my $KEYLIFEINDAYS = 730; # <= validity of the Certificate in days must be greater (or at least equal)than the validity of the one you are buying
my $COUNTRYCODE = "US"; ## <===================== change to your country code !
# end of modifications
*Change permissions
*Change permissions
chmod u+x cacert_csr_request
chmod u+x cacert_csr_request
*Execute the file
*Execute the file
From here replace the <b>{domain}</b> tag with your Primary domain name. Also you will need to have all domains registered with your cacert.org account. This will create a certificate that includes all domains that exists on your sme box as both simple domain.com and wildcard *.domain.com.
From here replace the <b>{domain}</b> tag with your Primary domain name. Also you will need to have all domains registered with your cacert.org account. This will create a certificate that includes all domains that exists on your sme box as both simple domain.com and wildcard *.domain.com.
== footnotes==
===footnotes===
This script is helpful but incomplete. Some configurations info are missing in order to obtain a cert from some CA Authorities (http://www.flatmtn.com/article/setting-openssl-create-certificates) .Some of the information needed are missing in the smeserver database like countrycode you have to insert them in the code for the moment...
== obtain .crt file from cacert==
== obtain .crt file from cacert==
*Paste the output into the cacert.org website and get your certificate
*Log into you account on the cacert.org and Add your FQDN under domains
*and paste the output of the belowcommand under new server certificate
cat {domain}.csr
cat {domain}.csr
signal-event post-upgrade
signal-event post-upgrade
signal-event reboot
signal-event reboot
or if you do not want to reboot your server:
signal-event domain-modify
signal-event email-update
Once you have created/installed this certificate then if the client has the cacert.org root certificate installed then they should be able to go to any domain on your box and not get a warning.
Once you have created/installed this certificate then if the client has the cacert.org root certificate installed then they should be able to go to any domain on your box and not get a warning.
== References ==
* Extracted from: http://forums.contribs.org/index.php?topic=34624.0 (slords)
* http://bugs.contribs.org/show_bug.cgi?id=1370 (unnilennium)
----
----
[[Category:Howto]]
[[Category:Howto]]
[[Category:Administration:Certificates]]
[[Category:Administration:Certificates]]
[[Category:Security]]