Subversion Repositories sysadmin_scripts

Rev

Rev 182 | Rev 184 | Go to most recent revision | Last modification | Compare with Previous | View Log | Download | RSS feed

Last modification

Path Last modification Log Download RSS
[NODE][NODE] [FILE] deployCert 182  5 d 4 h rodolico Log Download RSS
[NODE][NODE] [FILE] LICENSE 183  4 d 6 h rodolico Log Download RSS
[NODE][NODE] [FILE] makeCA 182  5 d 4 h rodolico Log Download RSS
[NODE][NODE] [FILE] makeCert 182  5 d 4 h rodolico Log Download RSS
[NODE][NODE] [FILE] makeCert.conf.sample 182  5 d 4 h rodolico Log Download RSS
[NODE][NODE] [FILE] openssl.cnf.sample 182  5 d 4 h rodolico Log Download RSS
[NODE][NODE] [FILE] README.md 182  5 d 4 h rodolico Log Download RSS

 Scripts to Manipulate openssl

This is a set of scripts that manipulate openssl, allowing you to more easily generate local Certificates of Authority, create Server Certificates based signed by that CA, and deploy them.

 Set up System (config files)

First, create an openssl configuration file and a makeCert.conf file. Simplest solution is

cp openssl.cnf.sample openssl.cnf

cp makeCert.conf.sample makeCert.conf

Edit openssl.cnf. Be sure to set up the section [req_distinguished_name]. The section [alt_names] is a placeholder and will be ignored.

Edit makeCert.conf, making sure you change the values of \$caCRT and \$caKey to match your preferences (hint, use your company or network name). The 10 years for a CA (\$caDays) and the one year for a Server Certificate (\$certDays) are reasonable. Do not make them much longer than that; some applications will refuse to use them.

Some people will prefer to place their CA files into a subdirectory (or even someplace else on the file system), so caCRT and caKey take fully qualified path names. Keep the .crt and .key suffixes as that is pretty standardized.

If you want to place your Server Certificates in their own directory, change \$serverCertDir (just a directory name)

All paths must exist prior to running any scripts.

 Create a Certificate of Authority

./makeCA

This will create a Certificate of Authority (private .key and certificate .crt file)  wherever defined in the config file. It will ask for a passphrased twice, when creating the key file, and then again when creating the crt. The passphrases must match, and must be more than 8 characters long.

This crt file should be deployed to all workstations which will access services using certificates created in the next section.

 Create Server Certificates

./makeCert DNS_Name [alias ...]

This will create a server certificate signed by the CA above, valid the first parameter (DNS_Name) and all subsequent parameters (alias). The files will be named based on the first parameter, and stored in the \$serverCertDir directory. The following four files will be created. Below, name is the first parameter to the command

 Deploy Server Certificates

./deployCert hostname [certname]

This is a very simple script with limited abilities. It is designed to copy the two necessary files (.crt and .key) for a particular cert to hostname, using scp. It will then restart Apache on that hostname (via service apache2 reload)