„TCS ServerCert” változatai közötti eltérés
(→Apache config: + Self-signed certs) |
(→Usage) |
||
| 1. sor: | 1. sor: | ||
== Usage == | == Usage == | ||
| − | With this script, you can generate a certificate request that you can manually submit to Terena TCS service. For Hungary, you may use the following URL: http://www.ca.niif.hu/hu/ca_request | + | With this script, you can generate a certificate request that you can manually submit to Terena TCS service. For Hungary, you may use the following URL: http://www.ca.niif.hu/hu/ca_request , but at the time of writing, it doesn't let the subjecAltNames through. Instead, you should use the institution-specific request forms: |
| + | * [https://admin.ca.niif.hu/niif_ra/apply/000_NIIF NIIF] | ||
| + | * [https://admin.ca.niif.hu/niif_ra/apply/001_BME BME] | ||
| + | * ... | ||
It's possible to use multiple SubjectAltName -s in the request, such as for <code>aai.niif.hu</code> and <code>www.aai.niif.hu</code>. | It's possible to use multiple SubjectAltName -s in the request, such as for <code>aai.niif.hu</code> and <code>www.aai.niif.hu</code>. | ||
| 8. sor: | 11. sor: | ||
* <code>hostname.you.provided.first.org.key</code> (private key) | * <code>hostname.you.provided.first.org.key</code> (private key) | ||
* <code>hostname.you.provided.first.org.csr</code> (certificate request) | * <code>hostname.you.provided.first.org.csr</code> (certificate request) | ||
| + | |||
== Program code == | == Program code == | ||
You may need to adjust the OpenSSL template starting around line 44. You almost certainly want to change the DN parameters starting around line 54. | You may need to adjust the OpenSSL template starting around line 44. You almost certainly want to change the DN parameters starting around line 54. | ||
A lap 2010. május 26., 10:00-kori változata
Tartalomjegyzék
[elrejtés]Usage
With this script, you can generate a certificate request that you can manually submit to Terena TCS service. For Hungary, you may use the following URL: http://www.ca.niif.hu/hu/ca_request , but at the time of writing, it doesn't let the subjecAltNames through. Instead, you should use the institution-specific request forms:
It's possible to use multiple SubjectAltName -s in the request, such as for aai.niif.hu and www.aai.niif.hu.
- Note: Never share the private key (thus the certificate) across virtual hosts.
This script creates the following files in your current working directory:
-
hostname.you.provided.first.org.key(private key) -
hostname.you.provided.first.org.csr(certificate request)
Program code
You may need to adjust the OpenSSL template starting around line 44. You almost certainly want to change the DN parameters starting around line 54.
- The program code may need serious cleanup, sorry, I'd no time for this. It's a quick&dirty solution, provided simply for your comfort. It also does not check the user input.
#!/usr/bin/perl -w
my $dirname=`dirname $0`; chomp $dirname;
my $getcert="getcert.sh";
print "Please enter the fqdn's of the hosts one at a line\n";
print "Press Ctrl-D when done or Ctrl-C to cancel\n";
my $h;
my @hosts;
while ($h=<STDIN>) {
chomp ($h);
#XXX sanity check
push @hosts,$h;
}
my $tmpfile=`mktemp`;
chomp $tmpfile;
my $defaulthost=$hosts[0];
my $opensslReqCmd="openssl req -new -nodes -config $tmpfile -out $defaulthost.csr";
my $opensslVerifyCmd="openssl req -text -in $defaulthost.csr";
&mkConfig($tmpfile,@hosts);
`$opensslReqCmd`;
`chmod 600 $defaulthost.key`;
system $opensslVerifyCmd;
print "\nTo retrieve the issued certificate, please issue the following command:\n";
print " env host=$defaulthost $dirname/$getcert\n";
unlink $tmpfile;
sub mkConfig(@) {
my $out=shift;
my @hosts=@_;
my $defaulthost=$hosts[0];
open (CONF,">$out") or die "$!";
print CONF <<EOS;
[ req ]
default_bits = 2048
default_keyfile = $defaulthost.key
default_days = 1095
default_md = sha1
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
#XXX UTF8string? string_mask = nombstr
[ req_distinguished_name ]
C = HU
#localityName = Locality Name (eg, city)
O = NIIF Institute
OU = Web Servers
CN = $defaulthost
[ v3_req ]
# Extensions to add to a certificate request
#basicConstraints = CA:FALSE
#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = \@alt_names
[alt_names]
EOS
for ($i=1; $i<=$#hosts+1; $i++) {
print CONF "DNS." . $i . " = " . $hosts[$i-1] . "\n";
}
close CONF;
}Retrieve issued certificate (and chain)
Save the following code as getcert.sh at the same directory you'd saved the Perl code. This script saves the issued certificate and certificate chain as
-
hostname.you.provided.first.crt(certificate) -
hostname.you.provided.first-chain.crt(certificate chain)
You need to copy the URL that's sent to you by Comodo in the 'certificate issued' mail.
#!/bin/bash
if [[ "$host" == "" ]]
then
echo "Please issue the following command:" 1>&2
echo " export host=hostname.fqdn.hu" 1>&2
exit 1
fi
echo "Please enter the URL you've received in the approved certificate notification mail:"
read URLBASE
URLBASE=`echo $URLBASE |sed "s/\/$//"`
wget -O $host.crt $URLBASE/cert-pem/
wget -O $host-chain.crt $URLBASE/chain-pem/Apache config
This is how you can instruct Apache to use the new cert
SSLCertificateFile /path/to/your/pki/hostname.you.provided.first.crt SSLCertificateKeyFile /path/to/your/pki/hostname.you.provided.first.key SSLCertificateChainFile /path/to/your/pki/hostname.you.provided.first-chain.crt
Self-signed
It's not recommended to use CA-signed certificates with your IdPs or SPs. It has no benefits and has some drawbacks (ie. some older versions of mod_ssl refuse to work with expired SP certs).
Instead, you should generate a self-signed certificate with the following command (please adjust the subject):
export host=your.host.name openssl req -new -newkey rsa:2048 -x509 -subj "/C=HU/O=NIIF/OU=AAI/CN=$host" -days 10000 -nodes \ -keyout $host-shib.key -out $host-shib.cert
