ee25310d |
1 | '''Note''': You can generally avoid worrying about these details by using the scripts described in DomTool/AdminProcedures. The instructions here are mostly of interest to people implementing those scripts.\r |
2 | \r |
3 | These instructions assume you are running as a user in group `wheel` on `deleuze.hcoop.net`.\r |
4 | \r |
5 | = Creating a certificate authority =\r |
6 | \r |
7 | I followed the instructions on this page:\r |
8 | http://sial.org/howto/openssl/ca/\r |
9 | \r |
10 | This blog post revealed the source of a puzzling error:\r |
11 | http://ilovett.com/blog/projects/debian-apache-ssl\r |
12 | It turns out leaving some fields (like the city name for your new certificate) blank leads to baffling messages!\r |
13 | \r |
14 | Extracting the relevant commands from the Makefile available at the former page, we run these commands to create our CA:\r |
15 | {{{mkdir crl newcerts private\r |
16 | chmod go-rwx private\r |
17 | echo '01' > serial\r |
18 | touch index\r |
19 | # NOTE use "-newkey rsa:2048" if running OpenSSL 0.9.8a or higher\r |
20 | openssl req -nodes -config openssl.cnf -days 1825 -x509 -newkey rsa -out ca-cert.pem -outform PEM}}}\r |
21 | \r |
22 | Now the directory structure of our CA exists, and we have the certificate we will use to sign certificates.\r |
23 | \r |
24 | = Creating a certificate for a node or user =\r |
25 | \r |
26 | I followed the instructions on these pages:\r |
27 | http://marc.theaimsgroup.com/?l=openssl-users&m=97049654211960&w=2\r |
28 | \r |
29 | http://www.postgresql.org/docs/8.1/interactive/ssl-tcp.html\r |
30 | \r |
31 | The commands to run are:\r |
32 | {{{openssl genrsa -out serverkey.pem\r |
33 | openssl req -new -key serverkey.pem -out newreq.pem -days 365\r |
34 | cat newreq.pem serverkey.pem > new.pem\r |
35 | openssl ca -config /etc/domtool/openssl.cnf -policy policy_anything -out servercert.pem -infiles new.pem}}}\r |
36 | replacing `serverkey.pem` and `servercert.pem` with appropriate names for your new key and certificate, respectively. The change I made from [http://marc.theaimsgroup.com/?l=openssl-users&m=97049654211960&w=2 the cited source] is to include the `-config` flag to reference the modified config file obtained from [http://sial.org/howto/openssl/ca/ the page about creating a CA].\r |
37 | \r |
38 | Once I figure out the final directory layout, there will be instructions here on where to put these files once they're created.\r |
39 | \r |
40 | = Baffling things that can happen =\r |
41 | \r |
42 | If `openssl ca` tells you this:\r |
43 | {{{failed to update database\r |
44 | TXT_DB error number 2}}}\r |
45 | \r |
46 | it means that you have it configured not to sign a certificate for the same user multiple times, but you've gone ahead and asked it to do so anyway. Add this line to the section for your default CA in `openssl.cnf`:\r |
47 | {{{\r |
48 | unique_subject = no}}}\r |
49 | \r |
50 | If you've already been signing some keys and you want to keep what you've done so far, you may also need to make similar changes in `index.attr` and possibly `index.attr.old`.\r |