102014-01-15 15:59:09ClintonEbadicacert has some scripts that look useful for us92013-01-23 19:28:45ClintonEbadinavajos82012-09-06 07:18:47ClintonEbadi72008-07-07 04:28:06localhostconverted to 1.6 markup62008-04-22 01:10:52MichaelOlsonUpdate CA URL52008-04-01 15:06:46AdamChlipalaFix markup bug42008-04-01 05:35:54MichaelOlsonDocument ca-install32007-12-06 16:29:09MichaelOlsonDocument ca-sign script22007-12-04 23:01:48MichaelOlson12007-11-17 18:10:52MichaelOlsonInitial contentsThis page explains how to sign user SSL certificates, among other things.

The page was very helpful in figuring out which commands to run. I took the initial copy of the OpenSSL configuration file from , and then added things to it from the first link. All of our CA stuff is stored at /var/local/lib/ca on deleuze. The public-accessible CA stuff is at /afs/hcoop.net/user/h/hc/hcoop/public_html/ca, or .

There are a couple of scripts in /afs/hcoop.net/common/etc/scripts that facilitate signing and installing of certificates. We should investigate CACert's scripts for generating CSRs.

ca-sign is the script that given a certificate request, produces a signed certificate. It stores a copy of the certificate request in /var/local/lib/ca/requests, and stores a copy of the certificate in /var/local/lib/ca/newcerts. It also updates the certificate revocation list, which is a publicly-accessible list of certificates that have been revoked. Here is an example of how to invoke it: days is the number of days that the certificate should be valid. Users get to choose this value. request.csr is the certificate request. out-cert-file.pem is where you want the generated certificate to be placed.

ca-install is the script which installs a certificate (including the RSA private key) to the user web nodes. It does sanity-checking on the certificate before allowing it to be installed, so as not to bring down Apache. Usage: CategorySystemAdministration