Versions Compared

Old Version 4

changes.mady.by.user J. Hunter Heinlen

Saved on

compared with

New Version 5

changes.mady.by.user J. Hunter Heinlen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Check that the SSL directories are there, and cd to them.
    Code Block
    ls -l /var/lib/ssl
cd /var/lib/ssl
    • If there are not there, create them.
      Code Block
      mkdir /var/lib/ssl
mkdir /var/lib/ssl/certs
mkdir /var/lib/ssl/private
cd /var/lib/ssl
  2. Set the temporary hostname variable to be the hostname of the system you are creating certs for.
    Code Block
    
hostname=[HOSTNAME]
  3. Generate rsa key
    • This simply generates some random stuff:
      Code Block
      ps > /tmp/foo
ps -elf >> /tmp/foo
cd /var/lib/ssl
openssl genrsa -rand /tmp/foo 1024 > /var/lib/ssl/private/`hostname`-key.pem
  4. Generate request for a certificate
    Code Block
    cd /var/lib/ssl/
openssl req -key  -new /var/lib/ssl/private/`hostname`-key.pem -new \
   > /var/lib/ssl/certs/`hostname`-req.pem
    #*send the cert request file to mitcert@mit.edu,
    Code Block
    Please be aware, the organization (O) is:
Massachusetts Institute of Technology
and the common name (CN) is the name of the server or
service, including the domain name (.mit.edu).  Also, some servers, such
as Thalia servers, can represent an entire subdomain.  These servers
will need certificates issued with a wildcard in the domain name, such
as *.isda-thalia-1.mit.edu.

Remember, if the server is a Thalia server, it will need a wildcard
certificate and DNS record for *.`hostname`, and if it is doing any type of
authentication, it will need a joint client/server certificate to be able
to connect to the Shibboleth server (and have end users connect to it as
well).
  5. To generate a self signed temporary certificate, add the x509 and nodes options to the openssl command line.
    Code Block
    cd /var/lib/ssl
openssl req -key /var/lib/ssl/private/`hostname`-key.pem -new -x509 -nodes > /var/lib/ssl/certs/`hostname`-temp-cert.pem
  6. When you receive a certificate from MIT Certificates, save it as:
    Code Block
    /var/lib/ssl/certs/`hostname`-cert.pem
  7. Create the symlinks that will allow Apache to function correctly.
    Code Block
    ln -s /var/lib/ssl/certs/`hostname`-cert.pem /var/lib/ssl/certs/host-cert.pem
ln -s /var/lib/ssl/private/`hostname`-key.pem /var/lib/ssl/private/host-key.pem
  8. Commands to view cert information:
    • to look at a request:
      Code Block
      openssl req -in /afs/athena.mit.edu/project/amit-dsl/Private/ssl-certs/${hostname}
/host-req.pem \-text
    • to look at the private key:
      Code Block
      openssl rsa -in /afs/athena.mit.edu/project/amit-dsl/Private/ssl-certs/${hostname}/host-key.pem -text
    • to look at the server certificate:
      Code Block
      openssl x509 -in /afs/athena.mit.edu/project/amit-dsl/Private/ssl-certs/${hostname}/host-cert.pem -text