Tech Blog - Here is a simple howto on creating your own CA or Certificate Authority unders Cent OS 5, this howto would also work on other Linux distribution with modification to path where the command could be found, this howto covers creating a certificate authority using OpenSSL and setting up a secure website using Apache with mod_ssl module.For Cent OS 5, you will need to have Openssl, Apache with mod_ssl module, and Openssl tools(openssl-perl), you can easily serach for this packages using the yum tool, yum search
Now lets begin with the howto
If you have all the above files installed on Cent OS 5, the path to configuration files below will work for you.
Apache SSL Configuration File - /etc/httpd/conf.d/ssl.conf
Openssl Configuraltion File - /etc/pki/ssl.conf
CA.pl - Openssl Perl Script tools - /etc/pki/tls/misc
Creating a new Certificate Authority
$ ./CA.pl -newca
Press Enter to create. - then enter a difficult passphrase do not forget this passphrase
Fill in your details and provide a sensible name for the CA.ls
Common Name (eg, YOUR name) []: review-ninja.com
This creates a new CA certificate in the directory /etc/pki/CA. The CA's self-signed certificate is stored in /etc/pki/CA/cacert.pem and its private key is in /etc/pki/CA/private/cakey.pem. make sure to secure this files.
Certificate Request
Now you need a server certificate that is signed by your own CA. First, generate a certificate request. Fill in the details and make sure "Common Name" is the hostname of the website.
$ ./CA.pl -newreq Produce a passphrase for the server certificate. Common Name (eg, name) []: www.hostname.com
The certificate request are in newreq.pem.
Now sign the request as the root CA,
$ ./CA.pl -sign Enter the passphrase for the root CA. Enter the passphrase for the server certificate.
The server certificate is placed in newcert.pem. The private key is saved in newkey.pem.
Make sure the private key is never world readable. Secure the PEM files including newreq.pem for later use and make sure they are kept private..
$ chmod 0400 newkey.pem
Adding Certificate to your Apache ssl.conf
Look for the following lines under /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /pathto/newcert.pem
SSLCertificateKeyFile /pathto/newkey.pem
SSLCACertificateFile /pathto/cacert.pem
Make sure to Uncomment the following lines as well
SSLVerifyClient require
SSLVerifyDepth 10
Then restart Apache /etc/init.d/httpd restart it will ask you to enter the passphrase you use for the CA
Creating Client Certificate
You can recreate a newreq.pem and newkey.pem, or just use the ones you have generated before, now we will combine newreq.pem and newkey.pem and convert them into the PKCS#12 format that can be imported to our browser..
$ cat newcert.pem newkey.pem >> signing.pem $ openssl pkcs12 -in signing.pem -out signing.p12 -clcerts -keysig -export
Enter the Passphrase then Enter a password for export. When importing the the p12 file to your browser you will be asked for it again.
Now you should see a file named signing.p12, download it to your desktop then import it to your browser, then thats it.
If you wanted to generate ceritificate for a lot of individual or make a script of it you can use
$ openssl pkcs12 -passin pass:yourpassphrase -in signing.pem -passout pass:yourexportpassword -out signing.p12 -clcerts -keysig -export
Below are some howto on troubleshooting
- Tech Blog easy 10 Steps | Remove Virus | Spyware Scanner Download | Free Software
- Tech Blog easy Network troubleshooting | DNS Problem Guide
- Howto change DNS Server IP to OpenDNS
- Tech Blog Howto Fix | COM Surrogate Error | Windows Vista
- 9 Easy Steps | Setting up a secured home wireless network
- Tech Blog Howto Permanently deleting files | data on your hard disk
- Tech Blog Howto Do Full filesystem backup | ufsdump - For *nix
- Tech Blog Fix Slow HD | 1080p Playback | troubleshooting | Fix
- Sendmail | Banner change | Disabling VRFY | EXPN
- iPod charging on DVD player w/o dock
- Apple Ipod Jailbreak - 1.1.4 firmware guide and Quickpwn
- Optimize Windows XP | VIsta
- Tech Blog Howto Hard Disk Recovery | Data Recovery | Test Disk
- Import Outlook PST to Gmail Howto
- Tech Blog Howto Bypass Firewall | Proxy with SSH | Hamachi
- Permanently deleting files | data on your hard disk
- Tech Blog Tutorial Hamachi VPN a quick guide
- Tech Blog Special Build your own IDS or IPS
- Download Video from YouTube to your computer
- Tech Blog Howto Do Bandwidth Monitoring | Free software
- Ubuntu Linux | Multiple IP | IP Aliasing | Howto
- Tech Blog Howto jailbreak iPhone and Ipod touch 2.2 Firmware
- Nokia N96 GPS and Google Earth on your PC
- Sharing folder with Windows on Ubuntu using Samba
- Tech Blog Fix for EMC PowerPath - Removal Error
- Tech Blog Easy Crontab Howto
- Software Raid | Raid Arrays | mdadm on Linux
- Tech Blog - Installing Damn Small Linux To Hard Disk
- Damn Small Linux Auto-start Howto
- Check Veritas Licenses - Tech Howto
- XSCF Command - Console Tech Howto
- Reboot and Shutdown Linux | Ubuntu Howto
- Using Find Command | Ubuntu Howto tech blog
- Howto Create Restore Point on Windows Vista
- Tech Blog VSC Manually Editing Configuration File | Howto
0 comments:
Post a Comment