eduroam logo
[[ca_on_ubuntu_dapper]]
 
Trace: » ca_on_ubuntu_dapper

Certificate generation

1) create CA

administrator@S6-Linux:/etc/ldap$ cd /opt administrator@S6-Linux:/opt$ sudo mkdir certs Password: administrator@S6-Linux:/opt$ sudo mkdir certs/ca administrator@S6-Linux:/opt$ sudo mkdir certs/ca/newcerts

administrator@S6-Linux:/opt/certs/ca$ sudo openssl req -new -x509 -keyout ./ca.key -out ./ca.crt Generating a 1024 bit RSA private key ....................++++++ ...................++++++ writing new private key to ‘./ca.out’ Enter PEM pass phrase: Verifying - Enter PEM pass phrase:

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [AU]:. State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []:. Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cisco Systems Organizational Unit Name (eg, section) []:. Common Name (eg, YOUR name) []:. Email Address []:kwiereng@cisco.com

administrator@S6-Linux:/opt/certs/ca$sudo vi /opt/certs/ca/serial <enter ‘01’ in serial>

administrator@S6-Linux:/opt/certs/ca$ sudo touch /opt/certs/ca/index.txt

2) create openssl.cf

administrator@S6-Linux:/opt/certs/ca$sudo vi /opt/certs/openssl.cf #################################################################### [ ca ] default_ca = CA_default # The default ca section

#################################################################### [ CA_default ]

dir = /opt/certs/ca # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/newcerts # default place for new certs.

certificate = $dir/ca.crt # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/ca.key # The private key RANDFILE = $dir/private/.rand # private random number file

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crl_extensions = crl_ext

default_days = 730 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = md5 # which md to use. preserve = no # keep passed DN ordering

# A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_anything

# For the ‘anything’ policy # At this point in time, you must list all acceptable ‘object’ # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional

3) certificate signing request

administrator@S6-Linux:/opt/certs/ca$ sudo mkdir /opt/certs/server administrator@S6-Linux:/opt/certs/ca$ cd /opt/certs/server

administrator@S6-Linux:/opt/certs/server$ sudo openssl genrsa -out S6-Linux.key 1024 Generating RSA private key, 1024 bit long modulus ......++++++ .............++++++ e is 65537 (0×10001) administrator@S6-Linux:/opt/certs/server$ sudo openssl req -new -key S6-Linux.key -out S6-Linux.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [AU]:. State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []:. Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cisco Systems Organizational Unit Name (eg, section) []:. Common Name (eg, YOUR name) []:S6-Linux Email Address []:kwiereng@cisco.com

Please enter the following ‘extra’ attributes to be sent with your certificate request A challenge password []:xxx An optional company name []:

4) sign S6-Linux certificate with CA

administrator@S6-Linux:/opt/certs/server$ sudo openssl ca -config ../openssl.cf -out S6-Linux.crt -infiles ./S6-Linux.csr Using configuration from ../openssl.cf Enter pass phrase for /opt/certs/ca/ca.key: Check that the request matches the signature Signature ok The Subject’s Distinguished Name is as follows organizationName :PRINTABLE:’Cisco Systems’ commonName :PRINTABLE:’S6-Linux’ emailAddress :IA5STRING:’kwiereng@cisco.com’ Certificate is to be certified until Nov 25 15:51:14 2009 GMT (730 days) Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

 
ca_on_ubuntu_dapper.txt (125 views) · Last modified: 2007/12/04 15:28 by 145.99.133.195
 
Recent changes RSS feed Creative Commons License Donate Valid XHTML 1.0 Valid CSS Driven by DokuWiki
Powered by Joom Prosolution

Login

original solarflare design by rhuk
lunarized by joomlashack