login
Search
After doing a lot of head banging, i was able to get it working (so far)
# openssl version
OpenSSL 0.9.7j 04 May 2006
# uname -a
OpenBSD ironhost.fistofiron.com 4.2 GENERIC#375 i386
#this setting causes lot of errors, hence i have commented it.
#prompt = no # this option is generating lot of errors.I referred my sites especially: http://www.faqs.org/docs/securing/chap24sec196.html
below is working fine:
#
# cat openssl.cnf
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
# Plus,
# I have configured it for generating CA cert too.
#RANDFILE = /dev/arandom
dir = /etc/ssl # working dir for all operations[ ca ] # section for CA settings
default_ca = CA_default # default CA settings section title[ CA_default ] # default settings for CA
certs = $dir/certs # dir to keep issued certificates
new_certs_dir = $dir/ca.db.certs # dir for new certs
crl_dir = $dir/crl # dir for issued cert revoc lists
serial = $dir/ca.db.serial # file contains the current serial no.
database = $dir/ca.db.index # certificate database index file
crl = $dir/crl.pem # the current CRL
certificate = $dir/certs/ca.crt # file containing CA certificate
private_key = $dir/private/ca.key # the private key corrosponding
# to CA certificate
default_days = 3650 # valid for 10 years
default_crl_days = 30 # how long before next CRL
default_md = sha1 # md5 for older software and is weaker
preserve = no # whether to preserve the order of DN
# fields to match the order passed in
email_in_dn = no
policy = policy_match # section to tell which fields in certs
# must match that of CA, or are mandetory
x509_extensions = usr_cert # directives for CA when signing a cert# Make new requests easier to sign - allow two subjects with same name
# (Or revoke the old certificate first.)
unique_subject = no# Comment out the following two lines for the "traditional"
# (and highly broken) format.
nameopt = default_ca
certopt = default_ca[ policy_match ] # OIDs that must be same as that of CA
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types. All values are system default.
[ policy_anything ] # all possible options for policy...
countryName = optional
stateOrProvinceName = optional
localityName = optional # this is not in policy_match section
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional#######################################
# the req section is used by openssl req command, it creates and process
# certificate requests in PKCS#10 format. also creates self signed certs
# for use as root CA.[ req ] # directives to process and create cert requests
default_bits = 1024 # key size for new cert request
default_keyfile = privkey.pem # def key name for any newely generated cert
default_md = sha1 # message digest algorithm default was md5
#prompt = no # this option is generating lot of errors.
string_mask = nombstr # permitted characters
distinguished_name= req_distinguished_name # suggest was root_ca__distinguished_name
attributes = req_attributes # section used when generating cert
x509_extensions = v3_ca # section ext to add to self signed cert
req_extensions = v3_req # [non CA] Used when requesting certs,
# adds more extnsions to cert request###########
# below section not used right now#[ root_ca_distinguished_name ]
#commonName = FistOfIron MO
#countryName = US
#stateOrProvinceName = Missouri
#localityName = St.Louis
#0.organizationName = fistofiron.org
#emailAddress = foi-ca@fistofiron.org
#####################[ req_distinguished_name ] # options needed to generate a certificate
# Variable name Prompt string
#------------------------- ----------------------------------
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (city, district)
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
commonName = Common Name (FQDN, hostname, IP, or your name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64 #original had 64/sample had 40# default values for above
countryName_default = US
stateOrProvinceName_default = Missouri
localityName_default = STL, MO
0.organizationName_default = Fist of Iron
organizationalUnitName_default = WebMail
commonName_default = www.fistofiron.com
emailAddress_default = badeguruji@fistofiron.com# we can do this but it is not needed normally :-)
#1.organizationName= Second Organization Name (eg, company)
#1.organizationName_default= CryptSoft Pty Ltd[ usr_cert ] # options used by CA to sign other certs - called by ca_default section
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.basicConstraints=CA:FALSE # false meaning this cert cannot be used as CA cert
# to sign other certs, for e.g.# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash # specifies how to identify the key being certified/signed
authorityKeyIdentifier=keyid,issuer:always # how to identify the pub key used to verfy sign
# on this (user) key
nsComment = OpenSSL_from_Fist_Of_Iron
nsCaRevocationUrl = https://www.fistofiron.com/ca-crl.pem # revoc url for the root CA cert
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName[ v3_ca ] # options used for creating CA cert - called by req section
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:TRUE# commented out defaults...
#keyUsage= cRLSign,keyCertSign #although typical for a CA
#nsCertType= sslCA,emailCA
#subjectAltName = email:copy #even though recommanded by PKIX
#issuerAltName = issuer:copy #even though recommanded by PKIX
#obj = DER:02:03 #experts only. introduces an ext in Hex with DER[ v3_req ] # options used for adding a certificate request.
basicConstraints = CA:FALSE # meaning this cert is not for doing CA job
subjectKeyIdentifier = hash # how to identify this cert[ req_attributes ]
challengePassword = A challenge password # displays this text
challengePassword_min = 4 # min length allowed
challengePassword_max = 20 # max length allowed
unstructuredName = optional company name # displays this text[ x509v3_extensions ] # these are used to sign or request certs
nsCaRevocationUrl = http://www.fistofiron.com/ca-crl.pem
nsComment = "Fist of Iron owns its own CA and signs its own certs"# under ASN.1, the 0 bit would be encoded as 80
nsCertType = 0x40#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
#nsCertSequence
#nsCertExt
#nsDataType#
sign.sh is used to sign certificate, but if you read closely you might not need this file..... just commands would do as our config file is very extensive....
# cat sign.sh
#!/bin/sh
##
## sign.sh -- Sign a SSL Certificate Request (CSR)
## Copyright (c) 1998-1999 Ralf S. Engelschall, All Rights Reserved.
### argument line handling
CSR=$1
if [ $# -ne 1 ]; then
echo "Usage: sign.sign .csr"; exit 1
fi
if [ ! -f $CSR ]; then
echo "CSR not found: $CSR"; exit 1
fi
case $CSR in
*.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
* ) CERT="$CSR.crt" ;;
esac# make sure environment exists
if [ ! -d ca.db.certs ]; then
mkdir ca.db.certs
fi
if [ ! -f ca.db.serial ]; then
echo '01' >ca.db.serial
fi
if [ ! -f ca.db.index ]; then
cp /dev/null ca.db.index
fi# create an own SSLeay config
cat >ca.config < $CERT:"
openssl ca -config ca.config -out $CERT -infiles $CSR
echo "CA verifying: $CERT <-> CA cert"
openssl verify -CAfile /etc/ssl/certs/ca.crt $CERT# cleanup after SSLeay
rm -f ca.config
rm -f ca.db.serial.old
rm -f ca.db.index.old# die gracefully
exit 0#
Now to create http server certs, CA cert and sign the http server cert:
1. config openssl.cnf
2. config sign.sh3. Create a RSA private key protected with a passphrase for your lighthttpd Server.
# openssl genrsa -des3 -out httpsrvr.key 1024
file generated:
-rw-r--r-- 1 root wheel 963 Dec 9 22:19 httpsrvr.key4. Generate a Certificate Signing Request CSR with the server RSA private key.
# openssl req -new -key httpsrvr.key -out httpsrvr.csr
file produced:
-rw-r--r-- 1 root wheel 818 Dec 9 22:23 httpsrvr.csr5. Create a RSA private key for your CA.
# openssl genrsa -des3 -out ca.key 1024
file generated:
-rw-r--r-- 1 root wheel 963 Dec 9 22:36 ca.key6. Create a self-signed CA certificate x509 structure with the RSA key of the CA.
# openssl req -new -x509 -days 365 -key ca.key -out ca.crt
file(s) generated:
-rw-r--r-- 1 root wheel 1025 Dec 9 22:40 ca.crt7. moved some files:
# mv httpsrvr.key ca.key private/
# mv ca.crt certs/
#8. sign a certificate request:
./sign.sh httpsrvr.csr
files generated:
-rw-r--r-- 1 root wheel 2794 Dec 10 14:57 httpsrvr.crt9. file moved:
# mv httpsrvr.crt certs/10. these files can be used in httpd.conf file as below:
SSLCertificateFile /etc/ssl/certs/httpsrvr.crt (1)
SSLCertificateKeyFile /etc/ssl/private/httpsrvr.key (2)Hope it is useful to some.
Thank you.
-BG
________________________________
~~Kalyan-mastu~~
| Tarkan Erimer | Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3 |
| Greg Kroah-Hartman | [PATCH 001/196] Chinese: Add the known_regression URI to the HOWTO |
| Benjamin Herrenschmidt | Re: [PATCH] Remove process freezer from suspend to RAM pathway |
| Bart Van Assche | Re: Integration of SCST in the mainstream Linux kernel |
git: | |
| Jarek Poplawski | [PATCH] pkt_sched: Destroy gen estimators under rtnl_lock(). |
| Arjan van de Ven | Re: [GIT]: Networking |
| Gerrit Renker | [PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side) |
| Natalie Protasevich | [BUG] New Kernel Bugs |
