1 260
szerkesztés
Módosítások
→Self-signed: 2-pass variant to avoid CA:TRUE
== Usage ==
With this script, you can generate a certificate request that you can submit manually submit to Terena TCS service. For Hungary, you may use the following URL: http://www.ca.niif.hu/hu/ca_request It's possible to use include multiple SubjectAltName -s in the request, such as for <code>aai.niif.hu</code> and <code>www.aai.niif.hu</code>. {{NOTE_EN|Never share the private key (thus the certificate) across virtual hosts.}}
This script creates the following files in your current working directory:
* <code>hostname.you.provided.first.org.key</code> (private key)
* <code>hostname.you.provided.first.org.csr</code> (certificate request)
== Program code ==
<source lang="perl">
#!/usr/bin/perl -w
print "Please enter the fqdn's of the hosts one at a line\n";
my $defaulthost=$hosts[0];
my $@opensslReqCmd=("openssl ","req ","-new ","-nodes ","-config ","$tmpfile ","-out $defaulthost.csr";my $opensslVerifyCmd=,"openssl req -text -in $defaulthost.csr");
umask 0077;
system @opensslReqCmd;
system @opensslVerifyCmd;
unlink $tmpfile;
sub mkConfig(@) {
my $out=shift;
my @hosts=@_;
my $defaulthost=$hosts[0];
open (CONF,">$out") or die "$!";
default_bits = 2048
default_keyfile = $defaulthost.key
default_days = 1095# 3x365 daysdefault_md = sha1sha256
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[ req_distinguished_name ]
CN = $defaulthost
[ v3_req ]
[alt_names]
EOS
for (my $i=1; $i<=$#hosts+1; $i++) { print CONF "DNS." . $i . " = " . $hosts[$i-1] . "\n";
}
close CONF;
}
</source>
It's not recommended to use CA-signed certificates with your IdPs or SPs. It has no benefits and has some drawbacks (ie. some older versions of mod_ssl refuse to work with expired SP certs).
Instead, you should generate a self-signed certificate with the following command commands (please adjust the subject):
export host=your.host.name
openssl req -new -newkey rsa:2048 -x509 -subj "/C=HU/O=NIIF/OU=AAI/CN=$host" -days 10000 -nodes \ -keyout $host-shibfed.key -out $host-shibfed.certcsr openssl x509 -in $host-fed.csr -out $host-fed.crt -req -signkey $host-fed.key [[Category: TCS]][[Category: English]]