View Source

Note:  This document assumes access to the AMIT definitive software library Private area.  If you do not have access to this AFS locker, then you will be able to create SSL certs with these instructions, but not store them in the AMIT library.

Note:  RadminD should create the SSL directories and install the CA on the host to be configured.
# On a machine with AFS installed and running, go to the AMIT DSL directory.  Alternatively, log into athena.dialup.mit.edu first.
{code}
cd /afs/athena.mit.edu/project/amit-dsl
cd Private/ssl-certs
{code}
# Set the temporary hostname variable to be the hostname of the system you are creating certs for.
{code}
hostname=[HOSTNAME]
{code}
# Create a directory for your host machine.
{code}
mkdir ${hostname}
cd ${hostname}
{code}
# Generate rsa key
#* This simply generates some random stuff:
{code}
ps > /tmp/foo
ps -elf >> /tmp/foo
cd /var/lib/ssl
openssl genrsa -rand /tmp/foo 1024 > /afs/athena.mit.edu/project/amit-dsl/Private/ssl-certs/${hostname}/host-key.pem
{code}
# Generate request for a certificate
{code}
cd /var/lib/ssl/
openssl req -key /afs/athena.mit.edu/project/amit-dsl/Private/ssl-certs/${hostname}/host-key.pem -new \
   > /afs/athena.mit.edu/project/amit-dsl/Private/ssl-certs/${hostname}/host-req.pem
{code}
#*send the cert request file to mitcert@mit.edu,
{code}
Please be aware, the organization (O) is:
Massachusetts Institute of Technology
and the common name (CN) is the name of the server or
service, including the domain name (.mit.edu).  Also, some servers, such
as Thalia servers, can represent an entire subdomain.  These servers
will need certificates issued with a wildcard in the domain name, such
as *.isda-thalia-1.mit.edu.

Remember, if the server is a Thalia server, it will need a wildcard
certificate and DNS record for *.`hostname`, and if it is doing any type of
authentication, it will need a joint client/server certificate to be able
to connect to the Shibboleth server (and have end users connect to it as
well).
{code}
# To generate a self signed temporary certificate, add the x509 and nodes options to the openssl command line.
{code}
cd /afs/athena.mit.edu/project/amit-dsl/Private/ssl-certs
openssl req -key /afs/athena.mit.edu/project/amit-dsl/Private/ssl-certs/${hostname}
/host-key.pem \-new \
\-x509 \-nodes > /afs/athena.mit.edu/project/amit-dsl/Private/ssl-certs/$
{hostname}/host-temp-cert.pem
{code}
# When you receive a certificate from MIT Certificates, save it as /afs/athena.mit.edu/project/amit-dsl/Private/ssl-certs/${hostname}
/host-cert.pem
# Commands to view cert information:
#* to look at a request:
{code}
openssl req -in /afs/athena.mit.edu/project/amit-dsl/Private/ssl-certs/${hostname}/host-req.pem -text
{code}
#* to look at the private key:
{code}
openssl rsa -in /afs/athena.mit.edu/project/amit-dsl/Private/ssl-certs/${hostname}/host-key.pem -text
{code}
#* to look at the server certificate:
{code}
openssl x509 -in /afs/athena.mit.edu/project/amit-dsl/Private/ssl-certs/${hostname}/host-cert.pem -text
{code}