welcome: please sign in

Upload page content

You can upload content for the page named below. If you change the page name, you can also upload content for another page. If the page name is empty, we derive the page name from the file name.

File to load page content from
Page name
Comment
First name of the author of the GNU Manifesto

Edit

CertificateAuthority

This page explains how to sign user SSL certificates, among other things.

Introduction

The page http://www.rajeevnet.com/crypto/ca/ca-paper.html was very helpful in figuring out which commands to run. I took the initial copy of the OpenSSL configuration file from http://sial.org/howto/openssl/ca/openssl.cnf, and then added things to it from the first link.

All of our CA stuff is stored at /var/local/lib/ca on deleuze.

The public-accessible CA stuff is at /afs/hcoop.net/user/h/hc/hcoop/public_html/ca, or http://hcoop.net/ca.

Scripts

There are a couple of scripts in /afs/hcoop.net/common/etc/scripts that facilitate signing and installing of certificates.

We should investigate CACert's scripts for generating CSRs.

Signing

ca-sign is the script that given a certificate request, produces a signed certificate. It stores a copy of the certificate request in /var/local/lib/ca/requests, and stores a copy of the certificate in /var/local/lib/ca/newcerts. It also updates the certificate revocation list, which is a publicly-accessible list of certificates that have been revoked.

Here is an example of how to invoke it:

ca-sign days request.csr out-cert-file.pem

Installing

ca-install is the script which installs a certificate (including the RSA private key) to the user web nodes. It does sanity-checking on the certificate before allowing it to be installed, so as not to bring down Apache.

Usage:

ca-install member domain cert-file.pem [key-file.pem]


CategorySystemAdministration