welcome: please sign in

Please enter your password of your account at the remote wiki below.
/!\ You should trust both wikis because the password could be read by the particular administrators.

Clear message
Page Locked

CertificateAuthority

This page explains how to sign user SSL certificates, among other things.

Introduction

The page http://www.rajeevnet.com/crypto/ca/ca-paper.html was very helpful in figuring out which commands to run. I took the initial copy of the OpenSSL configuration file from http://sial.org/howto/openssl/ca/openssl.cnf, and then added things to it from the first link.

All of our CA stuff is stored at /var/local/lib/ca on deleuze.

The public-accessible CA stuff is at /afs/hcoop.net/user/h/hc/hcoop/public_html/ca, or http://hcoop.net/ca.

Scripts

There are a couple of scripts in /afs/hcoop.net/common/etc/scripts that facilitate signing and installing of certificates.

We should investigate CACert's scripts for generating CSRs.

Signing

ca-sign is the script that given a certificate request, produces a signed certificate. It stores a copy of the certificate request in /var/local/lib/ca/requests, and stores a copy of the certificate in /var/local/lib/ca/newcerts. It also updates the certificate revocation list, which is a publicly-accessible list of certificates that have been revoked.

Here is an example of how to invoke it:

ca-sign days request.csr out-cert-file.pem

Installing

ca-install is the script which installs a certificate (including the RSA private key) to the user web nodes. It does sanity-checking on the certificate before allowing it to be installed, so as not to bring down Apache.

Usage:

ca-install member domain cert-file.pem [key-file.pem]


CategorySystemAdministration