Módosítások

TCS ServerCert

1 011 bájt törölve, 2015. augusztus 22., 22:35
nincs szerkesztési összefoglaló
== Usage ==
With this script, you can generate a certificate request that you can submit '''manually''' to Terena TCS service. For Hungary, you should be able to use the following URL: http://www.ca.niif.hu/hu/ca_request , but at the time of writing, it doesn't let the subjecAltNames through. Instead, you should use the institution-specific request forms:* [https://admin.ca.niif.hu/niif_ra/apply/000_NIIF NIIF]* [https://admin.ca.niif.hu/niif_ra/apply/001_BME BME]* ... It's possible to use include multiple SubjectAltName -s in the request, such as for <code>aai.niif.hu</code> and <code>www.aai.niif.hu</code>.
{{NOTE_EN|Never share the private key (thus the certificate) between virtual hosts.}}
== Program code ==
You may need to adjust the OpenSSL template starting around line 44. You almost certainly want to change the DN parameters starting around line 54.
 
::<small>The program code may need serious cleanup, sorry, I'd no time for this. It's a quick&dirty solution, provided simply for your comfort. It also does not check the user input. </small>
 
<source lang="perl">
#!/usr/bin/perl -w
 
my $dirname=`dirname $0`; chomp $dirname;
my $getcert="getcert.sh";
print "Please enter the fqdn's of the hosts one at a line\n";
my $defaulthost=$hosts[0];
my $@opensslReqCmd=("openssl ","req ","-new ","-nodes ","-config ","$tmpfile ","-out $defaulthost.csr";my $opensslVerifyCmd=,"openssl req -text -in $defaulthost.csr");
&mkConfig#for re-key, you'd use:#if (-r "$tmpfiledefaulthost.key") { #push @opensslReqCmd,@hosts("-key","$defaulthost.key");#}
`$opensslReqCmd`;`chmod 600 my @opensslVerifyCmd=("openssl","req","-text","-in","$defaulthost.key`;system $opensslVerifyCmdcsr");
print "\nTo retrieve the issued certificate, please issue the following command:\n";print " env host=$defaulthost $dirname/$getcert\n"; unlink $tmpfile; sub &mkConfig(@) { my $out=shift; my tmpfile,@hosts=@_; my $defaulthost=$hosts[0]);
umask 0077;
system @opensslReqCmd;
system @opensslVerifyCmd;
unlink $tmpfile;
sub mkConfig(@) {
my $out=shift;
my @hosts=@_;
my $defaulthost=$hosts[0];
open (CONF,">$out") or die "$!";
default_bits = 2048
default_keyfile = $defaulthost.key
default_days = 1095# 3x365 daysdefault_md = sha1sha256
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
#XXX UTF8string? string_mask = nombstr
[ req_distinguished_name ]
C = HU
#localityName = Locality Name (eg, city)
O = NIIF Institute
OU = Web Servers
CN = $defaulthost
[ v3_req ]
 # Extensions to add to a certificate request #basicConstraints = CA:FALSE#keyUsage = nonRepudiation, digitalSignature, keyEnciphermentsubjectAltName = \@alt_names
[alt_names]
EOS
for (my $i=1; $i<=$#hosts+1; $i++) { print CONF "DNS." . $i . " = " . $hosts[$i-1] . "\n";
}
close CONF;
}
</source>
 
=== Retrieve issued certificate (and chain) ===
Save the following code as <code>getcert.sh</code> at the same directory you'd saved the Perl code. This script saves the issued certificate and certificate chain as
* <code>hostname.you.provided.first.crt</code> (certificate)
* <code>hostname.you.provided.first-chain.crt</code> (certificate chain)
 
You need to copy the URL that's sent to you by Comodo in the 'certificate issued' mail.
 
<source lang="bash">
#!/bin/bash
 
if [[ "$host" == "" ]]
then
echo "Please issue the following command:" 1>&2
echo " export host=hostname.fqdn.hu" 1>&2
exit 1
fi
 
echo "Please enter the URL you've received in the approved certificate notification mail:"
read URLBASE
 
URLBASE=`echo $URLBASE |sed "s/\/$//"`
wget -O $host.crt $URLBASE/cert-pem/
wget -O $host-chain.crt $URLBASE/chain-pem/
</source>
A lap eredeti címe: „https://wiki.niif.hu/index.php?title=Speciális:MobileDiff/3294

Navigációs menü