DomTool/SslProcedures112014-04-24 02:05:48ClintonEbadidead link102014-02-16 23:04:42ClintonEbadiwarn users away from the guts of domtool and toward more relevant documentation92012-06-17 07:06:55ClintonEbadidocument the domtool Trust Store82010-02-16 18:11:11DavorOcelic72010-02-16 18:07:14DavorOcelic62009-12-01 17:57:40AdamChlipalaUpdate inline code mark-up52008-07-07 04:28:17localhostconverted to 1.6 markup42006-12-16 22:09:16AdamChlipala32006-12-16 19:50:04AdamChlipalaWarn about unique_subject22006-12-09 16:48:51AdamChlipalaNo passphrase for server keys12006-12-09 00:57:39AdamChlipalaThe SSL certification authority and related certificates discussed here are used by domtool for authentication, and are not in any way related to administering the web server CertificateAuthority or to using SSL on a hosted website. Note: You can generally avoid worrying about these details by using the scripts described in DomTool/AdminProcedures. The instructions here are mostly of interest to people implementing those scripts. These instructions assume you are running as a user in group wheel
on deleuze.hcoop.net
. Creating a certificate authorityI followed the instructions on this page: http://sial.org/howto/openssl/ca/ This blog post revealed the source of a puzzling error: It turns out leaving some fields (like the city name for your new certificate) blank leads to baffling messages! Extracting the relevant commands from the Makefile available at the former page, we run these commands to create our CA: serial
touch index
]]>(NOTE: remove the "o" from all openssl.conf when running all commands (above and below); I used .conf just because wiki anti-spam methods do not allow .c-n-f (no comment)). Now the directory structure of our CA exists, and we have the certificate we will use to sign certificates. After creating the CA, dump its certificate to DomTool's trust store (see trustStore
configuration value for the location). If you are creating a new CA (e.g. the domtool CA was compromised, or the private key otherwise leaked or destroyed) make sure to remove the invalid CA certificate from this file. > ${LOCATION OF TRUST STORE}]]>Creating a certificate for a node or userI followed the instructions on these pages: The commands to run are: new.pem
openssl ca -config /etc/domtool/openssl.conf -policy policy_anything -out servercert.pem -infiles new.pem]]>replacing serverkey.pem
and servercert.pem
with appropriate names for your new key and certificate, respectively. The change I made from the cited source is to include the -config
flag to reference the modified config file obtained from the page about creating a CA. Once I figure out the final directory layout, there will be instructions here on where to put these files once they're created. Baffling things that can happenIf openssl ca
tells you this: it means that you have it configured not to sign a certificate for the same user multiple times, but you've gone ahead and asked it to do so anyway. Add this line to the section for your default CA in openssl.conf
: If you've already been signing some keys and you want to keep what you've done so far, you may also need to make similar changes in index.attr
and possibly index.attr.old
.