Difference between revisions of "Open SSL"

From OpenKM Documentation
Jump to: navigation, search
Line 94: Line 94:
  
 
'''Create certification autority (CA).'''
 
'''Create certification autority (CA).'''
 +
 
Create folder structure to hold certificates:
 
Create folder structure to hold certificates:
 
  mkdir /opt/met-ca
 
  mkdir /opt/met-ca
Line 106: Line 107:
 
  chmod 700 /opt/ca
 
  chmod 700 /opt/ca
  
 +
Create public and private autosigned keys of our own Certification Authority ( in the example is valid for 10 years ). We will need to specify certificate data, passworrd to crypt and the process will generate two files:
 +
openssl req -config /etc/ssl/openssl.cnf -new -x509 -days 3650 -sha1 -newkey rsa:2048 -keyout /opt/ca/private/ca.key -out /opt/ca/ca.crt
 +
 +
Change key grants:
 +
chmod 600 /opt/met-ca/private/ca.key
 +
 +
'''Create apache certification'''
 +
Create a pair of keys. We will need to specify password and certification data. Will be created the file key ( server.key ) and certification request (server.pem).
 +
openssl req -new -sha1 -newkey rsa:2048 -nodes -keyout server.key -out server.pem
 +
 +
With the CA should sign the certification request. Copy server.pem to certication request and sign.
 +
openssl ca -config /etc/ssl/openssl.cnf -policy policy_anything -extensions [b]ssl_server[/b] -out requests/server-signed.pem -infiles requests/server.pem
 +
 +
Apache will be waiting a PEM format, is mandatory convert to this format:
 +
openssl x509 -in requests/server-signed.pem -out requests/server.crt
  
 +
'''Apache configuration'''
  
  
 
[[Category: Installation Guide]]
 
[[Category: Installation Guide]]

Revision as of 12:55, 9 December 2012

Edit file /etc/ssl/openssl.cnf

    RANDFILE         = $ENV::SSLDIR/.rnd

    [ ca ]
    default_ca       = CA_default

    [ CA_default ]
    dir              = /opt/ca
    certs            = $dir/certs
    new_certs_dir    = $dir/newcerts
    crl_dir          = $dir/crl
    database         = $dir/index.txt
    private_key      = $dir/private/ca.key
    certificate      = $dir/ca.crt
    serial           = $dir/serial
    crl              = $dir/crl.pem
    RANDFILE         = $dir/private/.rand
    default_days     = 365
    default_crl_days = 30
    default_md       = sha1
    preserve         = no
    policy           = policy_anything
    name_opt         = ca_default
    cert_opt         = ca_default

    [ policy_anything ]
    countryName             = optional
    stateOrProvinceName     = optional
    localityName            = optional
    organizationName        = optional
    organizationalUnitName  = optional
    commonName              = supplied
    emailAddress            = optional

    [ req ]
    default_bits            = 2048
    default_md              = sha1
    default_keyfile         = privkey.pem
    distinguished_name      = req_distinguished_name
    x509_extensions         = v3_ca
    string_mask             = nombstr

    [ req_distinguished_name ]
    countryName             = Country Name (2 letter code)
    countryName_min         = 2
    countryName_max         = 2
    stateOrProvinceName     = State or Province Name (full name)
    localityName            = Locality Name (eg, city)
    0.organizationName      = Organization Name (eg, company)
    organizationalUnitName  = Organizational Unit Name (eg, section)
    commonName              = Common Name (eg, YOUR name)
    commonName_max          = 64
    emailAddress            = Email Address
    emailAddress_max        = 64

    [ usr_cert ]
    basicConstraints        = CA:FALSE
    # nsCaRevocationUrl       = https://url-to-exposed-clr-list/crl.pem

    [ ssl_server ]
    basicConstraints        = CA:FALSE
    nsCertType              = server
    keyUsage                = digitalSignature, keyEncipherment
    extendedKeyUsage        = serverAuth, nsSGC, msSGC
    nsComment               = "OpenSSL Certificate for SSL Web Server"

    [ ssl_client ]
    basicConstraints        = CA:FALSE
    nsCertType              = client
    keyUsage                = digitalSignature, keyEncipherment
    extendedKeyUsage        = clientAuth
    nsComment               = "OpenSSL Certificate for SSL Client"

    [ v3_req ]
    basicConstraints       = CA:FALSE
    keyUsage               = nonRepudiation, digitalSignature, keyEncipherment

    [ v3_ca ]
    basicConstraints        = critical, CA:true, pathlen:0
    nsCertType              = sslCA
    keyUsage                = cRLSign, keyCertSign
    extendedKeyUsage        = serverAuth, clientAuth
    nsComment               = "OpenSSL CA Certificate"

    [ crl_ext ]
    basicConstraints        = CA:FALSE
    keyUsage                = digitalSignature, keyEncipherment
    nsComment               = "OpenSSL generated CRL"

Create certification autority (CA).

Create folder structure to hold certificates:

mkdir /opt/met-ca
mkdir /opt/met-ca/certs
mkdir /opt/met-ca/crl
mkdir /opt/met-ca/newcerts
mkdir /opt/met-ca/private
mkdir /opt/met-ca/requests
touch /opt/met-ca/index.txt
echo “01” > /opt/ca/serial
echo “01” > /opt/ca/crlnumber
chmod 700 /opt/ca

Create public and private autosigned keys of our own Certification Authority ( in the example is valid for 10 years ). We will need to specify certificate data, passworrd to crypt and the process will generate two files:

openssl req -config /etc/ssl/openssl.cnf -new -x509 -days 3650 -sha1 -newkey rsa:2048 -keyout /opt/ca/private/ca.key -out /opt/ca/ca.crt

Change key grants:

chmod 600 /opt/met-ca/private/ca.key

Create apache certification Create a pair of keys. We will need to specify password and certification data. Will be created the file key ( server.key ) and certification request (server.pem).

openssl req -new -sha1 -newkey rsa:2048 -nodes -keyout server.key -out server.pem 

With the CA should sign the certification request. Copy server.pem to certication request and sign.

openssl ca -config /etc/ssl/openssl.cnf -policy policy_anything -extensions [b]ssl_server[/b] -out requests/server-signed.pem -infiles requests/server.pem

Apache will be waiting a PEM format, is mandatory convert to this format:

openssl x509 -in requests/server-signed.pem -out requests/server.crt

Apache configuration