SSL Certificates, and Self-Signing
See also:
http://web.archive.org/web/20020606221612/http://www.thawte.com/support/server/apache/apache-vfaq.html
http://slacksite.com/apache/certificate.html
We'll generate three files, and end up using two of them.
First, we
generate the RSA keypair (host.key, which is in BASE64 PEM
format,
which is why the file often has a .pem filename extension).
Then, we generate a CSR = Certificate Signing Request file
(host.csr),
which associates the key with the organisation's identity
(specified in
X.509 format, which is similar to LDAP/X.500), and could
theoretically
be shipped off to Verisign or another Certificate Authority (CA)
to be
digitally signed. Last, we have Client purport to self-sign the
CSR
file (in lieu of a CA), resulting in host.crt, the certificate
file --
at which point host.csr can be discarded. All of this is done
with
the "openssl" binary.
And then Apache must be configured to use the two files, and
restarted.
That's it. So:
$ openssl genrsa -rand file1:file2[...] -out host.key 1024
You give several filespecs delimited by colons to give openssl
enough
entropy to work with. We're omitting the "-des3" switch, which
causes
the private key to be stored in symmetrically-encrypted form to
protect
it against being stolen by shell users, the downside of which is
Client
would have to supply the 3DES key to read the private key every
time
Apache restarts. Which is a _big_ downside, and is why almost
nobody
ever does it.
$ openssl req -new -key host.key -out host.csr
You'll be prompted for several strings to build an
X.500-style
Distinguished Name (two-letter country name, state, city,
organisation,
Apache hostname, administrative e-mail address). It's important
that
the hostname exactly match what's specified in httpd.conf, or
users will
get a warning about the mismatch.
Now, you get to generate the actual cert, and decide how many
days from
today's date it should expire. (In this example, we say two years
= 730.)
$ openssl x509 -req -days 730 -in host.csr -signkey host.key -out host.crt
Last, we find the SSLCertificatFile and SSLCertificateKeyFile
lines in
httpd.conf, put the two host.* files in the indicated
directories,
edit the two httpd.conf lines, save, and restart Apache.
host
Package to implement a certificate server (PKI):
openCA (www.openca.org)
From: WIAME Jean-Robert - REM0VE-N0-1SPAM jrw-abc_REM0VE-N0-1SPAM@ngi.be
To: debian-security@lists.debian.org
Organization: National Geographic Institute of Belgium
X-Mailer: Ximian Evolution 1.4.5
Date: Tue, 04 Nov 2003 10:38:50 +0100
Subject: Re: certificate server
Hi,
There are also :
ElyCA :
http://eurodev.net/~pablo/ (the
project has little hardware problems)
or http://freshmeat.net/projects/elyca/?topic_id=44
CSP: Certificate Service Provider :
http://devel.it.su.se/projects/CSP/
NewPKI :
http://www.newpki.org/
the site of PyCA is http://www.pyca.de/
Date: Tue, 4 Nov 2003 12:39:23 +0100 (CET)
From: Henrik Andreasson han@han.pp.se
To: debian-security@lists.debian.org
Subject: Re: certificate server
If you're out to get a larger CA server (works for smaller
installations
too), check out ejbca, build on Enterprise Java Beans.
ejbca.sf.net / http://sourceforge.net/projects/ejbca
//Henrik Andreasson