„TCS ServerCert” változatai közötti eltérés

Innen: KIFÜ Wiki
(létrehozás)
 
a (Retrieve issued certificate (and chain))
97. sor: 97. sor:
 
* <code>hostname.you.provided.first-chain.crt</code> (certificate chain)
 
* <code>hostname.you.provided.first-chain.crt</code> (certificate chain)
  
You need to copy the URL Comodo sends you in the 'certificate issued' mail.
+
You need to copy the URL that's sent to you by Comodo in the 'certificate issued' mail.
  
 
<source lang="bash">
 
<source lang="bash">
117. sor: 117. sor:
 
wget -O $host-chain.crt $URLBASE/chain-pem/
 
wget -O $host-chain.crt $URLBASE/chain-pem/
 
</source>
 
</source>
 +
 
== Apache config ==
 
== Apache config ==
 
This is how you can instruct Apache to use the new cert
 
This is how you can instruct Apache to use the new cert

A lap 2010. április 30., 11:14-kori változata

Usage

With this script, you can generate a certificate request that you can manually submit to Terena TCS service. For Hungary, you may use the following URL: http://www.ca.niif.hu/hu/ca_request

It's possible to use multiple SubjectAltName -s in the request, such as for aai.niif.hu and www.aai.niif.hu.

Note: Never share the private key (thus the certificate) across virtual hosts.

This script creates the following files in your current working directory:

  • hostname.you.provided.first.org.key (private key)
  • hostname.you.provided.first.org.csr (certificate request)

Program code

You may need to adjust the OpenSSL template starting around line 44. You almost certainly want to change the DN parameters starting around line 54.

The program code may need serious cleanup, sorry, I'd no time for this. It's a quick&dirty solution, provided simply for your comfort. It also does not check the user input.
#!/usr/bin/perl -w

my $dirname=`dirname $0`; chomp $dirname;
my $getcert="getcert.sh";

print "Please enter the fqdn's of the hosts one at a line\n";
print "Press Ctrl-D when done or Ctrl-C to cancel\n";

my $h;
my @hosts;

while ($h=<STDIN>) {
        chomp ($h);
        #XXX sanity check
        push @hosts,$h;
}

my $tmpfile=`mktemp`;
chomp $tmpfile;

my $defaulthost=$hosts[0];
my $opensslReqCmd="openssl req -new -nodes -config $tmpfile -out $defaulthost.csr";
my $opensslVerifyCmd="openssl req -text -in $defaulthost.csr";

&mkConfig($tmpfile,@hosts);

`$opensslReqCmd`;
`chmod 600 $defaulthost.key`;
system $opensslVerifyCmd;

print "\nTo retrieve the issued certificate, please issue the following command:\n";
print "    env host=$defaulthost $dirname/$getcert\n";

unlink $tmpfile;

sub mkConfig(@) {
        my $out=shift;
        my @hosts=@_;
        my $defaulthost=$hosts[0];

        open (CONF,">$out") or die "$!";

        print CONF <<EOS;
[ req ]
default_bits            = 2048
default_keyfile         = $defaulthost.key
default_days            = 1095
default_md              = sha1
distinguished_name      = req_distinguished_name
req_extensions          = v3_req
prompt                  = no
#XXX UTF8string? string_mask = nombstr

[ req_distinguished_name ]
C                       = HU
#localityName           = Locality Name (eg, city)
O                       = NIIF Institute
OU                      = Web Servers
CN                      = $defaulthost

[ v3_req ]

# Extensions to add to a certificate request

#basicConstraints = CA:FALSE
#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName                  = \@alt_names

[alt_names]
EOS

        for ($i=1; $i<=$#hosts+1; $i++) {
                print CONF "DNS." . $i . "                      = " . $hosts[$i-1] . "\n";
        }
        close CONF;
}

Retrieve issued certificate (and chain)

Save the following code as getcert.sh at the same directory you'd saved the Perl code. This script saves the issued certificate and certificate chain as

  • hostname.you.provided.first.crt (certificate)
  • hostname.you.provided.first-chain.crt (certificate chain)

You need to copy the URL that's sent to you by Comodo in the 'certificate issued' mail.

#!/bin/bash

if [[ "$host" == "" ]]
then
        echo "Please issue the following command:" 1>&2
        echo "  export host=hostname.fqdn.hu" 1>&2
        exit 1
fi

echo "Please enter the URL you've received in the approved certificate notification mail:"
read URLBASE

URLBASE=`echo $URLBASE |sed "s/\/$//"`

wget -O $host.crt $URLBASE/cert-pem/
wget -O $host-chain.crt $URLBASE/chain-pem/

Apache config

This is how you can instruct Apache to use the new cert

SSLCertificateFile /path/to/your/pki/hostname.you.provided.first.crt
SSLCertificateKeyFile /path/to/your/pki/hostname.you.provided.first.key
SSLCertificateChainFile /path/to/your/pki/hostname.you.provided.first-chain.crt