welcome: please sign in


This page explains how to sign user SSL certificates, among other things.


The page http://www.rajeevnet.com/crypto/ca/ca-paper.html was very helpful in figuring out which commands to run. I took the initial copy of the OpenSSL configuration file from http://sial.org/howto/openssl/ca/openssl.cnf, and then added things to it from the first link.

All of our CA stuff is stored at /var/local/lib/ca on deleuze.

The public-accessible CA stuff is at /afs/hcoop.net/user/h/hc/hcoop/public_html/ca, or http://hcoop.net/ca.


There are a couple of scripts in /afs/hcoop.net/common/etc/scripts that facilitate signing and installing of certificates.

We should investigate CACert's scripts for generating CSRs.


ca-sign is the script that given a certificate request, produces a signed certificate. It stores a copy of the certificate request in /var/local/lib/ca/requests, and stores a copy of the certificate in /var/local/lib/ca/newcerts. It also updates the certificate revocation list, which is a publicly-accessible list of certificates that have been revoked.

Here is an example of how to invoke it:

ca-sign days request.csr out-cert-file.pem


ca-install is the script which installs a certificate (including the RSA private key) to the user web nodes. It does sanity-checking on the certificate before allowing it to be installed, so as not to bring down Apache.


ca-install member domain cert-file.pem [key-file.pem]


CertificateAuthority (last edited 2014-01-15 15:59:09 by ClintonEbadi)