Módosítások

← Régebbi szerkesztés

TCS ServerCert

212 bájt törölve, 2017. szeptember 13., 13:13

→‎Self-signed: 2-pass variant to avoid CA:TRUE

== Usage ==

With this script, you can generate a certificate request that you can submit manually ~~submit~~ to Terena TCS service. ~~For Hungary, you may use the following URL: http://www.ca.niif.hu/hu/ca_request~~ It's possible to ~~use~~ include multiple SubjectAltName -s in the request, such as ~~for~~ <code>aai.niif.hu</code> and <code>www.aai.niif.hu</code>. ~~{{NOTE_EN|Never share the private key (thus the certificate) across virtual hosts.}}~~

This script creates the following files in your current working directory:

* <code>hostname.you.provided.first.org.key</code> (private key)

* <code>hostname.you.provided.first.org.csr</code> (certificate request)

== Program code ==

~~You may need to adjust the OpenSSL template starting around line 44. You almost certainly want to change the DN parameters starting around line 54.~~

~~::<small>The program code may need serious cleanup, sorry, I'd no time for this. It's a quick&dirty solution, provided simply for your comfort. It also does not check the user input. </small>~~

#!/usr/bin/perl -w

~~my $dirname=`dirname $0`; chomp $dirname;~~

~~my $getcert="getcert.sh";~~

print "Please enter the fqdn's of the hosts one at a line\n";

my $defaulthost=$hosts[0];

my $@opensslReqCmd=("openssl ","req ","-new ","-nodes ","-config ","$tmpfile ","-out ~~$defaulthost.csr~~";~~my $opensslVerifyCmd=~~,"~~openssl req -text -in~~ $defaulthost.csr");

~~&mkConfig~~#for re-key, you'd use:#if (-r "$~~tmpfile~~defaulthost.key") { #push @opensslReqCmd,~~@hosts~~("-key","$defaulthost.key");#}

~~`$opensslReqCmd`;`chmod 600~~ my @opensslVerifyCmd=("openssl","req","-text","-in","$defaulthost.~~key`;system $opensslVerifyCmd~~csr");

~~print "\nTo retrieve the issued certificate, please issue the following command:\n";print " env host=$defaulthost $dirname/$getcert\n";~~ ~~unlink $tmpfile;~~ ~~sub~~ &mkConfig(~~@) {~~ my $~~out=shift;~~ my tmpfile,@hosts~~=@_;~~ ~~my $defaulthost=$hosts[0]~~);

umask 0077;

system @opensslReqCmd;

system @opensslVerifyCmd;

unlink $tmpfile;

sub mkConfig(@) {

my $out=shift;

my @hosts=@_;

my $defaulthost=$hosts[0];

open (CONF,">$out") or die "$!";

default_bits = 2048

default_keyfile = $defaulthost.key

default_days = 1095# 3x365 daysdefault_md = ~~sha1~~sha256

distinguished_name = req_distinguished_name

req_extensions = v3_req

prompt = no

~~#XXX UTF8string? string_mask = nombstr~~

[ req_distinguished_name ]

~~C = HU~~

~~#localityName = Locality Name (eg, city)~~

~~O = NIIF Institute~~

~~OU = Web Servers~~

CN = $defaulthost

[ v3_req ]

~~# Extensions to add to a certificate request~~ ~~#basicConstraints = CA:FALSE#keyUsage = nonRepudiation, digitalSignature, keyEncipherment~~subjectAltName = \@alt_names

[alt_names]

EOS

for (my $i=1; $i<=$#hosts+1; $i++) { print CONF "DNS." . $i . " = " . $hosts[$i-1] . "\n";

}

close CONF;

}

~~</source>~~

~~=== Retrieve issued certificate (and chain) ===~~

~~Save the following code as <code>getcert.sh</code> at the same directory you'd saved the Perl code. This script saves the issued certificate and certificate chain as~~

* <code>hostname.you.provided.first.crt</code> (certificate)

* <code>hostname.you.provided.first-chain.crt</code> (certificate chain)

~~You need to copy the URL that's sent to you by Comodo in the 'certificate issued' mail.~~

~~<source lang="bash">~~

~~#!/bin/bash~~

~~if [[ "$host" == "" ]]~~

~~then~~

~~echo "Please issue the following command:" 1>&2~~

~~echo " export host=hostname.fqdn.hu" 1>&2~~

~~exit 1~~

fi

~~echo "Please enter the URL you've received in the approved certificate notification mail:"~~

~~read URLBASE~~

~~URLBASE=`echo $URLBASE |sed "s/\/$//"`~~

~~wget -O $host.crt $URLBASE/cert-pem/~~

~~wget -O $host-chain.crt $URLBASE/chain-pem/~~

</source>

SSLCertificateKeyFile /path/to/your/pki/hostname.you.provided.first.key

SSLCertificateChainFile /path/to/your/pki/hostname.you.provided.first-chain.crt

== Self-signed ==

It's not recommended to use CA-signed certificates with your IdPs or SPs. It has no benefits and has some drawbacks (ie. some older versions of mod_ssl refuse to work with expired SP certs).

Instead, you should generate a self-signed certificate with the following commands (please adjust the subject):

export host=your.host.name

openssl req -new -newkey rsa:2048 -subj "/C=HU/O=NIIF/OU=AAI/CN=$host" -days 10000 -nodes \

-keyout $host-fed.key -out $host-fed.csr

openssl x509 -in $host-fed.csr -out $host-fed.crt -req -signkey $host-fed.key

[[Category: TCS]]

[[Category: English]]

Bajnokk(AT)niif.hu

bürokraták, adminisztrátorok

1 260

szerkesztés

Módosítások

TCS ServerCert

Navigációs menü

Személyes eszközök

Névterek

Változatok

Nézetek

Több

Keresés

Navigáció

Eszközök