...
- Check that the SSL directories are there, and cd to them.
Code Block ls -l /var/lib/ssl cd /var/lib/ssl
- If there are not there, create them.
Code Block mkdir /var/lib/ssl mkdir /var/lib/ssl/certs mkdir /var/lib/ssl/private cd /var/lib/ssl
- If there are not there, create them.
- Generate rsa key
- This simply generates some random stuff:
Code Block ps > /tmp/foo ps -elf >> /tmp/foo cd /var/lib/ssl openssl genrsa -rand /tmp/foo 1024 > /var/lib/ssl/private/`hostname`-key.pem
- This simply generates some random stuff:
- Generate request for a certificate
#*send the cert request file to mitcert@mit.edu,Code Block cd /var/lib/ssl/ openssl req -key /var/lib/ssl/private/`hostname`-key.pem -new \ > /var/lib/ssl/certs/`hostname`-req.pem
- Input the requested information.
Code Block Please be aware, the organization (O) is: Massachusetts Institute of Technology and the common name (CN) is the name of the server or service, including the domain name (.mit.edu). Also, some servers, such as Thalia servers, can represent an entire subdomain. These servers will need certificates issued with a wildcard in the domain name, such as *.isda-thalia-1.mit.edu. Remember, if the server is a Thalia server, it will need a wildcard certificate and DNS record for *.`hostname`, and if it is doing any type of authentication, it will need a joint client/server certificate to be able to connect to the Shibboleth server (and have end users connect to it as well).
- Input the requested information.
- Send the cert request file to mitcert@mit.edu
Code Block cat `hostname`-req.pem | mail -s "Cert request for rolesapp-test.mit.edu" -c map-support@mit.edu mitcert@mit.edu
- To generate a self signed temporary certificate, add the x509 and nodes options to the openssl command line.
Code Block cd /var/lib/ssl openssl req -key /var/lib/ssl/private/`hostname`-key.pem -new -x509 -nodes > /var/lib/ssl/certs/`hostname`-temp-cert.pem
- When you receive a certificate from MIT Certificates, save it as:
Code Block /var/lib/ssl/certs/`hostname`-cert.pem
- Create the symlinks that will allow Apache to function correctly.
Code Block ln -s /var/lib/ssl/certs/`hostname`-cert.pem /var/lib/ssl/certs/host-cert.pem ln -s /var/lib/ssl/private/`hostname`-key.pem /var/lib/ssl/private/host-key.pem
- You can use the self signed cert while waiting for the official one by symlinking it.
Code Block ln -s /var/lib/ssl/certs/`hostname`-temp-cert.pem /var/lib/ssl/certs/host-cert.pem
- You can use the self signed cert while waiting for the official one by symlinking it.
- Commands to view cert information:
- to look at a request:
Code Block openssl req -in /afs/athena.mit.edu/project/amit-dsl/Private/ssl-certs/${hostname} /host-req.pem \-text
- to look at the private key:
Code Block openssl rsa -in /afs/athena.mit.edu/project/amit-dsl/Private/ssl-certs/${hostname}/host-key.pem -text
- to look at the server certificate:
Code Block openssl x509 -in /afs/athena.mit.edu/project/amit-dsl/Private/ssl-certs/${hostname}/host-cert.pem -text
- to look at a request: