welcome: please sign in

The following 158 words could not be found in the dictionary of 7 words (including 7 LocalSpellingWords) and are highlighted below:
accessible   added   Administration   afs   All   allowing   also   among   an   and   Apache   are   as   at   be   been   before   bring   ca   cacert   Category   cert   Cert   certificate   certificates   checking   choose   cnf   com   commands   common   configuration   Contents   copy   couple   crypto   csr   days   deleuze   does   domain   down   etc   example   explains   facilitate   figuring   file   first   for   from   generated   generating   Generator   get   given   have   hc   hcoop   helpful   Here   how   howto   html   http   in   including   initial   install   installed   installing   Installing   installs   Introduction   investigate   invoke   is   it   It   key   lib   link   list   local   member   net   newcerts   nodes   not   number   Of   of   on   Open   openssl   or   org   other   our   out   page   paper   pem   placed   private   produces   public   publicly   rajeevnet   request   requests   revocation   revoked   Rs   run   sanity   script   Scripts   scripts   should   sial   sign   signed   signing   Signing   so   stored   stores   stuff   System   Table   that   The   the   then   There   things   This   this   to   took   updates   Usage   user   Users   valid   value   var   very   want   was   We   web   where   which   wiki   www   you  

Clear message
Edit

CertificateAuthority

This page explains how to sign user SSL certificates, among other things.

Contents

  1. Introduction
  2. Scripts
    1. Signing
    2. Installing

Introduction

The page http://www.rajeevnet.com/crypto/ca/ca-paper.html was very helpful in figuring out which commands to run. I took the initial copy of the OpenSSL configuration file from http://sial.org/howto/openssl/ca/openssl.cnf, and then added things to it from the first link.

All of our CA stuff is stored at /var/local/lib/ca on deleuze.

The public-accessible CA stuff is at /afs/hcoop.net/user/h/hc/hcoop/public_html/ca, or http://hcoop.net/ca.

Scripts

There are a couple of scripts in /afs/hcoop.net/common/etc/scripts that facilitate signing and installing of certificates.

We should investigate CACert's scripts for generating CSRs.

Signing

ca-sign is the script that given a certificate request, produces a signed certificate. It stores a copy of the certificate request in /var/local/lib/ca/requests, and stores a copy of the certificate in /var/local/lib/ca/newcerts. It also updates the certificate revocation list, which is a publicly-accessible list of certificates that have been revoked.

Here is an example of how to invoke it: 

ca-sign days request.csr out-cert-file.pem

Installing

ca-install is the script which installs a certificate (including the RSA private key) to the user web nodes. It does sanity-checking on the certificate before allowing it to be installed, so as not to bring down Apache.

Usage: 

ca-install member domain cert-file.pem [key-file.pem]

CategorySystemAdministration

CertificateAuthority (last edited 2014-01-15 15:59:09 by ClintonEbadi)