ORIGINALLY POSTED BY NOKIA FOR THETAZZONE/TAZFORUM HERE
Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post…we do not sell, publish, transmit, or have the right to give permission for such…TheTAZZone merely retains the right to use, retain, and publish submitted work within it’s Network
- Code: Select all
This paper is the work of The Master Jedi Pimpsor AKA thehorse13, who has kindly consented to it being hosted here on the TAZ.
The original post can be found here:
Here are some quick-n-dirty instructions on how to sign a certificate request generated from something like IIS using only OpenSSL on Linux (or some other UNIX variant).
1. Setup a minimal Certificate Authority (CA) configuration on the Linux system. You only have to do this step once.
Create a minimal OpenSSL CA configuration file and save it as “ca.conf”:
[ ca ]
default_ca = ca_default
[ ca_default ]
dir = ./ca
certs = \$dir
new_certs_dir = \$dir/ca.db.certs
database = \$dir/ca.db.index
serial = \$dir/ca.db.serial
RANDFILE = \$dir/ca.db.rand
certificate = \$dir/ca.crt
private_key = \$dir/ca.key
default_days = 365
default_crl_days = 30
default_md = md5
preserve = no
policy = generic_policy
[ generic_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
Create the CA database directory:
Generate a 1024-bit RSA private key for the CA:
openssl genrsa -des3 -out ca/ca.key 1024
Create a self-signed X509 certificate for the CA:
openssl req -new -x509 -days 10000 -key ca/ca.key -out ca/ca.crt
2. Generate a certificate request. In IIS, you can accomplish this by opening the web site properties, under the “Directory Security” tab, click the “Server Certificate” button. This will launch a wizard to generate a new certificate request. It is pretty standard to use the server’s hostname as the certificate name and to use a key length of at least 1024 bits. Copy the resulting file to the the CA system. Apache or other services can use the OpenSSL utilities to generate a certificate request, but thats another e-mail.
3. Sign the certificate request.
Issue the following command to generate a signed certifcate from the certificate request. This example assumes that the certificate request is in the current directory as “certificate-request.txt” and that the resulting certificate will be “certificate.pem.crt”.
openssl ca -config ca.conf -notext -out certificate.pem.crt -infiles certificate-request.txt
Now you may install the newly-signed certificate on the target system (IIS, Apache, or whatever). Note that clients (like Internet Explorer) connecting to the target system with this new cert will likely complain that they don’t trust the signing CA. To get rid of this dialog, you can load this CA’s certificate into a browser’s list of trusted CAs.
I hope this helps!