Note: This document assumes access to the AMIT definitive software library Private area. If you do not have access to this AFS locker, then you will be able to create SSL certs with these instructions, but not store them in the AMIT library.
Note: RadminD should create the SSL directories and install the CA on the host to be configured.
- There are now 2 ways of doing this. The old, by hand method, and the new pexpect script.
- To use the pexpect script to setup certs, first check that openssl, python, and pexpect are installed.
openssl version python import pexcept [ctrl-D]
- If those works, and the reported versions of OpenSSL is above 0.9.8, and Python is above 2.2, you can continue with this method.
- If pexpect is not installed, it is available in the AMIT DSL, or from the authors website.
- Generally, it is better to run this script from a local system, and use scp to put the certs into place.
- Install the ssl-certgen.py script, if not done already.
scp dracus@athena.dialup.mit.edu:/afs/athena.mit.edu/project/amit-dsl/Public/common-init/ssl-certgen.py /usr/local/bin
- Running it as is will create cert requests for the local hostname, and store everything in '/var/lib/ssl'. Use '-cname' to set the hostname in the cert, 'certdir' to set the directory that cert requests are stored into, and 'privdir' to set the directory that private keys go into. For help, use '-help'.
/usr/local/bin/ssl-certgen.py --help /usr/local/bin/ssl-certgen.py --cname [some hostname] --certdir /home/dracus/tmp/certs --privdir /home/dracus/tmp/private
- This will generate a private key, a self-signed temporary cert, and a cert request, and email the cert requset to 'mitcert@mit.edu'.
- Create symbolic links to the key and temporary cert to get Apache to work with the standard config.
ln -s /var/lib/ssl/certs/`hostname`-temp-cert.pem /var/lib/ssl/certs/host-cert.pem ln -s /var/lib/ssl/private/`hostname`-key.pem /var/lib/ssl/private/host-key.pem
- To use the pexpect script to setup certs, first check that openssl, python, and pexpect are installed.
- The old, by hand method also works.
- Check that the SSL directories are there, and cd to them.
ls -l /var/lib/ssl cd /var/lib/ssl
- If there are not there, create them.
mkdir /var/lib/ssl mkdir /var/lib/ssl/certs mkdir /var/lib/ssl/private cd /var/lib/ssl
- If there are not there, create them.
- Generate rsa key
- This simply generates some random stuff:
ps > /tmp/foo ps -elf >> /tmp/foo cd /var/lib/ssl openssl genrsa -rand /tmp/foo 1024 > /var/lib/ssl/private/`hostname`-key.pem
- This simply generates some random stuff:
- Generate request for a certificate
cd /var/lib/ssl/ openssl req -key /var/lib/ssl/private/`hostname`-key.pem -new \ > /var/lib/ssl/certs/`hostname`-req.pem
- Input the requested information.
Please be aware, the organization (O) is: Massachusetts Institute of Technology and the common name (CN) is the name of the server or service, including the domain name (.mit.edu). Also, some servers, such as Thalia servers, can represent an entire subdomain. These servers will need certificates issued with a wildcard in the domain name, such as *.isda-thalia-1.mit.edu. Remember, if the server is a Thalia server, it will need a wildcard certificate and DNS record for *.`hostname`, and if it is doing any type of authentication, it will need a joint client/server certificate to be able to connect to the Shibboleth server (and have end users connect to it as well).
- Input the requested information.
- Send the cert request file to mitcert@mit.edu
cat `hostname`-req.pem | mail -s "Cert request for rolesapp-test.mit.edu" -c map-support@mit.edu mitcert@mit.edu
- To generate a self signed temporary certificate, add the x509 and nodes options to the openssl command line.
cd /var/lib/ssl openssl req -key /var/lib/ssl/private/`hostname`-key.pem -new -x509 -nodes > /var/lib/ssl/certs/`hostname`-temp-cert.pem
- When you receive a certificate from MIT Certificates, save it as:
/var/lib/ssl/certs/`hostname`-cert.pem
- Create the symlinks that will allow Apache to function correctly.
ln -s /var/lib/ssl/certs/`hostname`-cert.pem /var/lib/ssl/certs/host-cert.pem ln -s /var/lib/ssl/private/`hostname`-key.pem /var/lib/ssl/private/host-key.pem
- You can use the self signed cert while waiting for the official one by symlinking it.
ln -s /var/lib/ssl/certs/`hostname`-temp-cert.pem /var/lib/ssl/certs/host-cert.pem
- You can use the self signed cert while waiting for the official one by symlinking it.
- Check that the SSL directories are there, and cd to them.
- Commands to view cert information:
- to look at a request:
openssl req -in /afs/athena.mit.edu/project/amit-dsl/Private/ssl-certs/${hostname} /host-req.pem \-text - to look at the private key:
openssl rsa -in /afs/athena.mit.edu/project/amit-dsl/Private/ssl-certs/${hostname}/host-key.pem -text - to look at the server certificate:
openssl x509 -in /afs/athena.mit.edu/project/amit-dsl/Private/ssl-certs/${hostname}/host-cert.pem -text
- to look at a request: