![/!\](/moin_static1910/moniker_bt/img/alert.png "/!\"){kind=small}
You should trust both wikis because the password could be read by the particular administrators.
This page explains how to sign user SSL certificates, among other things.
Contents
Introduction
The page http://www.rajeevnet.com/crypto/ca/ca-paper.html was very helpful in figuring out which commands to run. I took the initial copy of the OpenSSL configuration file from http://sial.org/howto/openssl/ca/openssl.cnf, and then added things to it from the first link.
All of our CA stuff is stored at /var/local/lib/ca on deleuze.
The public-accessible CA stuff is at /afs/hcoop.net/user/h/hc/hcoop/public_html/ca, or http://hcoop.net/ca.
Scripts
There are a couple of scripts in /afs/hcoop.net/common/etc/scripts that facilitate signing and installing of certificates.
We should investigate CACert's scripts for generating CSRs.
Signing
ca-sign is the script that given a certificate request, produces a signed certificate. It stores a copy of the certificate request in /var/local/lib/ca/requests, and stores a copy of the certificate in /var/local/lib/ca/newcerts. It also updates the certificate revocation list, which is a publicly-accessible list of certificates that have been revoked.
Here is an example of how to invoke it:
ca-sign days request.csr out-cert-file.pem
days is the number of days that the certificate should be valid. Users get to choose this value.
request.csr is the certificate request.
out-cert-file.pem is where you want the generated certificate to be placed.
Installing
ca-install is the script which installs a certificate (including the RSA private key) to the user web nodes. It does sanity-checking on the certificate before allowing it to be installed, so as not to bring down Apache.
Usage:
ca-install member domain cert-file.pem [key-file.pem]