TCS ServerCert

Innen: KIFÜ Wiki
A lap korábbi változatát látod, amilyen Bajnokk(AT)niif.hu (vitalap | szerkesztései) 2015. augusztus 22., 21:35-kor történt szerkesztése után volt.

Usage

With this script, you can generate a certificate request that you can submit manually to Terena TCS service. It's possible to include multiple SubjectAltName -s in the request, such as aai.niif.hu and www.aai.niif.hu.

Note: Never share the private key (thus the certificate) between virtual hosts.

This script creates the following files in your current working directory:

  • hostname.you.provided.first.org.key (private key)
  • hostname.you.provided.first.org.csr (certificate request)

Program code

#!/usr/bin/perl -w

print "Please enter the fqdn's of the hosts one at a line\n";
print "Press Ctrl-D when done or Ctrl-C to cancel\n";

my $h;
my @hosts;

while ($h=<STDIN>) {
        chomp ($h);
        #XXX sanity check
        push @hosts,$h;
}

my $tmpfile=`mktemp`;
chomp $tmpfile;

my $defaulthost=$hosts[0];
my @opensslReqCmd=("openssl","req","-new","-nodes","-config","$tmpfile","-out","$defaulthost.csr");

#for re-key, you'd use:
#if (-r "$defaulthost.key") {
        #push @opensslReqCmd,("-key","$defaulthost.key");
#}

my @opensslVerifyCmd=("openssl","req","-text","-in","$defaulthost.csr");

&mkConfig($tmpfile,@hosts);

umask 0077;
system @opensslReqCmd;
system @opensslVerifyCmd;                                                                                                
                                                                                                                         
unlink $tmpfile;                                                                                                         
                                                                                                                         
sub mkConfig(@) {                                                                                                        
        my $out=shift;                                                                                                   
        my @hosts=@_;                                                                                                    
        my $defaulthost=$hosts[0];                                                                                       
                                                                                                                         
        open (CONF,">$out") or die "$!";

        print CONF <<EOS;
[ req ]
default_bits            = 2048
default_keyfile         = $defaulthost.key
default_days            = 1095 # 3x365 days
default_md              = sha256
distinguished_name      = req_distinguished_name
req_extensions          = v3_req
prompt                  = no

[ req_distinguished_name ]
CN                      = $defaulthost

[ v3_req ]
subjectAltName          = \@alt_names

[alt_names]
EOS

        for (my $i=1; $i<=$#hosts+1; $i++) {
                print CONF "DNS." . $i . "                      = " . $hosts[$i-1] . "\n"; 
        }
        close CONF;
}

Apache config

This is how you can instruct Apache to use the new cert

SSLCertificateFile /path/to/your/pki/hostname.you.provided.first.crt
SSLCertificateKeyFile /path/to/your/pki/hostname.you.provided.first.key
SSLCertificateChainFile /path/to/your/pki/hostname.you.provided.first-chain.crt

Self-signed

It's not recommended to use CA-signed certificates with your IdPs or SPs. It has no benefits and has some drawbacks (ie. some older versions of mod_ssl refuse to work with expired SP certs).

Instead, you should generate a self-signed certificate with the following command (please adjust the subject):

export host=your.host.name
openssl req -new -newkey rsa:2048 -x509 -subj "/C=HU/O=NIIF/OU=AAI/CN=$host" -days 10000 -nodes \
  -keyout $host-shib.key -out $host-shib.cert