welcome: please sign in

Diff for "DomTool/SslProcedures"

Differences between revisions 1 and 8 (spanning 7 versions)
Revision 1 as of 2006-12-09 00:57:39
Size: 1845
Editor: AdamChlipala
Comment:
Revision 8 as of 2010-02-16 18:11:11
Size: 2978
Editor: DavorOcelic
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
These instructions assume you are running as user `domtool` on `deleuze.hcoop.net`. '''Note''': You can generally avoid worrying about these details by using the scripts described in DomTool/AdminProcedures. The instructions here are mostly of interest to people implementing those scripts.

These instructions assume you are running as a user in group `wheel` on `deleuze.hcoop.net`.
Line 13: Line 15:
{{{mkdir crl newcerts private {{{
mkdir -p /etc/domtool/ca
cd /etc/domtool/ca
mkdir crl newcerts private
Line 17: Line 22:
# NOTE use "-newkey rsa:2048" if running OpenSSL 0.9.8a or higher
openssl req -nodes -config openssl.cnf -days 1825 -x509 -newkey rsa -out ca-cert.pem -outform PEM}}}

cd ..
# NOTE remove ":2048" below if running OpenSSL lower than 0.9.8a
openssl req -nodes -config openssl.conf -days 1825 -x509 -newkey rsa:2048 -out ca/ca-cert.pem -outform PEM}}}

'''(NOTE: remove the "o" from all openssl.conf when running all commands (above and below); I used .conf just because wiki anti-spam methods do not allow .c-n-f (no comment)).'''
Line 24: Line 33:
I followed the instructions on this page: I followed the instructions on these pages:
Line 27: Line 36:
  http://www.postgresql.org/docs/8.1/interactive/ssl-tcp.html
Line 28: Line 39:
{{{openssl req -new -keyout serverkey.pem -out newreq.pem -days 365 {{{
openssl genrsa -out serverkey.pem
openssl req -new -key serverkey.pem -out newreq.pem -days 365
Line 30: Line 43:
openssl -config /etc/domtool/openssl.cfg ca -policy policy_anything -out servercert.pem -infiles new.pem}}}
replacing `serverkey.pem` and `servercert.pem` with appropriate names for your new key and certificate, respectively. The change I made from [http://marc.theaimsgroup.com/?l=openssl-users&m=97049654211960&w=2 the cited source] is to include the `-config` flag to reference the modified config file obtained from [http://sial.org/howto/openssl/ca/ the page about creating a CA].
openssl ca -config /etc/domtool/openssl.conf -policy policy_anything -out servercert.pem -infiles new.pem}}}
replacing `serverkey.pem` and `servercert.pem` with appropriate names for your new key and certificate, respectively. The change I made from [[http://marc.theaimsgroup.com/?l=openssl-users&m=97049654211960&w=2|the cited source]] is to include the `-config` flag to reference the modified config file obtained from [[http://sial.org/howto/openssl/ca/|the page about creating a CA]].
Line 34: Line 47:

= Baffling things that can happen =

If `openssl ca` tells you this:
{{{
failed to update database
TXT_DB error number 2}}}

it means that you have it configured not to sign a certificate for the same user multiple times, but you've gone ahead and asked it to do so anyway. Add this line to the section for your default CA in `openssl.conf`:
{{{
unique_subject = no}}}

If you've already been signing some keys and you want to keep what you've done so far, you may also need to make similar changes in `index.attr` and possibly `index.attr.old`.

Note: You can generally avoid worrying about these details by using the scripts described in DomTool/AdminProcedures. The instructions here are mostly of interest to people implementing those scripts.

These instructions assume you are running as a user in group wheel on deleuze.hcoop.net.

1. Creating a certificate authority

I followed the instructions on this page:

This blog post revealed the source of a puzzling error:

It turns out leaving some fields (like the city name for your new certificate) blank leads to baffling messages!

Extracting the relevant commands from the Makefile available at the former page, we run these commands to create our CA:

mkdir -p /etc/domtool/ca
cd /etc/domtool/ca
mkdir crl newcerts private
chmod go-rwx private
echo '01' > serial
touch index

cd ..
# NOTE remove ":2048" below if running OpenSSL lower than 0.9.8a
openssl req -nodes -config openssl.conf -days 1825 -x509 -newkey rsa:2048 -out ca/ca-cert.pem -outform PEM

(NOTE: remove the "o" from all openssl.conf when running all commands (above and below); I used .conf just because wiki anti-spam methods do not allow .c-n-f (no comment)).

Now the directory structure of our CA exists, and we have the certificate we will use to sign certificates.

2. Creating a certificate for a node or user

I followed the instructions on these pages:

The commands to run are:

openssl genrsa -out serverkey.pem
openssl req -new -key serverkey.pem -out newreq.pem -days 365
cat newreq.pem serverkey.pem > new.pem
openssl ca -config /etc/domtool/openssl.conf -policy policy_anything -out servercert.pem -infiles new.pem

replacing serverkey.pem and servercert.pem with appropriate names for your new key and certificate, respectively. The change I made from the cited source is to include the -config flag to reference the modified config file obtained from the page about creating a CA.

Once I figure out the final directory layout, there will be instructions here on where to put these files once they're created.

3. Baffling things that can happen

If openssl ca tells you this:

failed to update database
TXT_DB error number 2

it means that you have it configured not to sign a certificate for the same user multiple times, but you've gone ahead and asked it to do so anyway. Add this line to the section for your default CA in openssl.conf:

unique_subject = no

If you've already been signing some keys and you want to keep what you've done so far, you may also need to make similar changes in index.attr and possibly index.attr.old.

DomTool/SslProcedures (last edited 2014-04-24 02:05:48 by ClintonEbadi)