welcome: please sign in

The following 286 words could not be found in the dictionary of 7 words (including 7 LocalSpellingWords) and are highlighted below:
about   above   Add   Admin   administering   After   ahead   all   allow   already   also   and   anti   any   anything   anyway   apache   appropriate   Architecture   archive   are   as   asked   assume   at   attr   authentication   Authority   authority   available   avoid   Baffling   baffling   be   because   been   below   blank   blog   but   by   ca   can   cat   caution   cd   cert   Cert   Certificate   certificate   certificates   certification   change   changes   chmod   cited   city   com   commands   comment   compromised   conf   config   configuration   configured   create   created   creating   Creating   crl   database   days   debian   default   deleuze   described   destroyed   details   directory   discussed   do   docs   Dom   domtool   done   dump   echo   error   etc   exists   Extracting   failed   far   fields   figure   file   files   final   flag   followed   for   former   from   generally   genrsa   go   gone   group   happen   have   hcoop   here   hosted   howto   html   http   https   If   ilovett   implementing   in   include   index   infiles   instructions   interactive   interest   invalid   is   it   It   its   just   keep   key   keys   layout   leads   leaked   leaving   like   line   location   made   make   Makefile   Manual   marc   may   means   Member   messages   methods   mkdir   modified   mostly   multiple   name   names   need   net   new   newcerts   newkey   newreq   no   node   nodes   not   Note   Now   number   obtained   of   old   on   Once   once   openssl   or   org   otherwise   our   out   outform   Overview   page   pages   pem   people   policy   possibly   post   postgresql   private   Procedures   projects   put   puzzling   re   reference   related   relevant   remove   replacing   req   respectively   revealed   rsa   run   running   rwx   same   scripts   section   see   serial   server   servercert   serverkey   Serving   sial   sign   signing   similar   so   some   source   spam   Ssl   ssl   Store   store   structure   subject   sure   tcp   tells   that   The   the   theaimsgroup   there   these   These   they   things   This   this   those   times   to   Tool   touch   trust   turns   unique   update   use   used   user   Users   users   using   value   ve   want   was   way   we   web   website   Websites   what   wheel   when   where   wiki   will   with   worrying   www   x509   You   you   your  

Clear message

DomTool / SslProcedures

The SSL certification authority and related certificates discussed here are used by domtool for authentication, and are not in any way related to administering the web server CertificateAuthority or to using SSL on a hosted website.

Note: You can generally avoid worrying about these details by using the scripts described in DomTool/AdminProcedures. The instructions here are mostly of interest to people implementing those scripts.

These instructions assume you are running as a user in group wheel on deleuze.hcoop.net.

1. Creating a certificate authority

I followed the instructions on this page:

This blog post revealed the source of a puzzling error:

It turns out leaving some fields (like the city name for your new certificate) blank leads to baffling messages!

Extracting the relevant commands from the Makefile available at the former page, we run these commands to create our CA:

mkdir -p /etc/domtool/ca
cd /etc/domtool/ca
mkdir crl newcerts private
chmod go-rwx private
echo '01' > serial
touch index

cd ..
# NOTE remove ":2048" below if running OpenSSL lower than 0.9.8a
openssl req -nodes -config openssl.conf -days 1825 -x509 -newkey rsa:2048 -out ca/ca-cert.pem -outform PEM

(NOTE: remove the "o" from all openssl.conf when running all commands (above and below); I used .conf just because wiki anti-spam methods do not allow .c-n-f (no comment)).

Now the directory structure of our CA exists, and we have the certificate we will use to sign certificates.

After creating the CA, dump its certificate to DomTool's trust store (see trustStore configuration value for the location). If you are creating a new CA (e.g. the domtool CA was compromised, or the private key otherwise leaked or destroyed) make sure to remove the invalid CA certificate from this file.

cat /etc/domtool/ca/ca-cert.pem >> ${LOCATION OF TRUST STORE}

2. Creating a certificate for a node or user

I followed the instructions on these pages:

The commands to run are:

openssl genrsa -out serverkey.pem
openssl req -new -key serverkey.pem -out newreq.pem -days 365
cat newreq.pem serverkey.pem > new.pem
openssl ca -config /etc/domtool/openssl.conf -policy policy_anything -out servercert.pem -infiles new.pem

replacing serverkey.pem and servercert.pem with appropriate names for your new key and certificate, respectively. The change I made from the cited source is to include the -config flag to reference the modified config file obtained from the page about creating a CA.

Once I figure out the final directory layout, there will be instructions here on where to put these files once they're created.

3. Baffling things that can happen

If openssl ca tells you this:

failed to update database
TXT_DB error number 2

it means that you have it configured not to sign a certificate for the same user multiple times, but you've gone ahead and asked it to do so anyway. Add this line to the section for your default CA in openssl.conf:

unique_subject = no

If you've already been signing some keys and you want to keep what you've done so far, you may also need to make similar changes in index.attr and possibly index.attr.old.

DomTool/SslProcedures (last edited 2014-04-24 02:05:48 by ClintonEbadi)