#pragma section-numbers off This page explains how to sign user SSL certificates, among other things. <> = Introduction = The page [[http://www.rajeevnet.com/crypto/ca/ca-paper.html]] was very helpful in figuring out which commands to run. I took the initial copy of the OpenSSL configuration file from [[http://sial.org/howto/openssl/ca/openssl.cnf]], and then added things to it from the first link. All of our CA stuff is stored at {{{/var/local/lib/ca}}} on deleuze. The public-accessible CA stuff is at {{{/afs/hcoop.net/user/h/hc/hcoop/public_html/ca}}}, or [[http://hcoop.net/ca]]. = Scripts = There are a couple of scripts in {{{/afs/hcoop.net/common/etc/scripts}}} that facilitate signing and installing of certificates. We should investigate [[http://wiki.cacert.org/CSRGenerator|CACert's scripts for generating CSRs]]. == Signing == {{{ca-sign}}} is the script that given a certificate request, produces a signed certificate. It stores a copy of the certificate request in {{{/var/local/lib/ca/requests}}}, and stores a copy of the certificate in {{{/var/local/lib/ca/newcerts}}}. It also updates the certificate revocation list, which is a publicly-accessible list of certificates that have been revoked. Here is an example of how to invoke it: {{{ ca-sign days request.csr out-cert-file.pem }}} * '''days''' is the number of days that the certificate should be valid. Users get to choose this value. * '''request.csr''' is the certificate request. * '''out-cert-file.pem''' is where you want the generated certificate to be placed. == Installing == {{{ca-install}}} is the script which installs a certificate (including the RSA private key) to the user web nodes. It does sanity-checking on the certificate before allowing it to be installed, so as not to bring down Apache. Usage: {{{ ca-install member domain cert-file.pem [key-file.pem] }}} ---- CategorySystemAdministration