Note: This document assumes access to the AMIT definitive software library Private area. If you do not have access to this AFS locker, then you will be able to create SSL certs with these instructions, but not store them in the AMIT library.
Note: RadminD should create the SSL directories and install the CA on the host to be configured.
openssl version python import pexcept [ctrl-D] |
scp dracus@athena.dialup.mit.edu:/afs/athena.mit.edu/project/amit-dsl/Public/common-init/ssl-certgen.py /usr/local/bin |
/usr/local/bin/ssl-certgen.py --help /usr/local/bin/ssl-certgen.py --cname [some hostname] --certdir /home/dracus/tmp/certs --privdir /home/dracus/tmp/private |
ln -s /var/lib/ssl/certs/`hostname`-temp-cert.pem /var/lib/ssl/certs/host-cert.pem ln -s /var/lib/ssl/private/`hostname`-key.pem /var/lib/ssl/private/host-key.pem |
ls -l /var/lib/ssl cd /var/lib/ssl |
mkdir /var/lib/ssl mkdir /var/lib/ssl/certs mkdir /var/lib/ssl/private cd /var/lib/ssl |
ps > /tmp/foo ps -elf >> /tmp/foo cd /var/lib/ssl openssl genrsa -rand /tmp/foo 1024 > /var/lib/ssl/private/`hostname`-key.pem |
cd /var/lib/ssl/ openssl req -key /var/lib/ssl/private/`hostname`-key.pem -new \ > /var/lib/ssl/certs/`hostname`-req.pem |
Please be aware, the organization (O) is: Massachusetts Institute of Technology and the common name (CN) is the name of the server or service, including the domain name (.mit.edu). Also, some servers, such as Thalia servers, can represent an entire subdomain. These servers will need certificates issued with a wildcard in the domain name, such as *.isda-thalia-1.mit.edu. Remember, if the server is a Thalia server, it will need a wildcard certificate and DNS record for *.`hostname`, and if it is doing any type of authentication, it will need a joint client/server certificate to be able to connect to the Shibboleth server (and have end users connect to it as well). |
cat `hostname`-req.pem | mail -s "Cert request for rolesapp-test.mit.edu" -c map-support@mit.edu mitcert@mit.edu |
cd /var/lib/ssl openssl req -key /var/lib/ssl/private/`hostname`-key.pem -new -x509 -nodes > /var/lib/ssl/certs/`hostname`-temp-cert.pem |
/var/lib/ssl/certs/`hostname`-cert.pem |
ln -s /var/lib/ssl/certs/`hostname`-cert.pem /var/lib/ssl/certs/host-cert.pem ln -s /var/lib/ssl/private/`hostname`-key.pem /var/lib/ssl/private/host-key.pem |
ln -s /var/lib/ssl/certs/`hostname`-temp-cert.pem /var/lib/ssl/certs/host-cert.pem |
openssl req -in /afs/athena.mit.edu/project/amit-dsl/Private/ssl-certs/${hostname} /host-req.pem \-text |
openssl rsa -in /afs/athena.mit.edu/project/amit-dsl/Private/ssl-certs/${hostname}/host-key.pem -text |
openssl x509 -in /afs/athena.mit.edu/project/amit-dsl/Private/ssl-certs/${hostname}/host-cert.pem -text |