Difference between revisions of "Custom CA Certificate"
From SME Server
Jump to navigationJump to searchm |
Unnilennium (talk | contribs) |
||
| Line 20: | Line 20: | ||
use esmith::DomainsDB; | use esmith::DomainsDB; | ||
| + | # variable to edit | ||
| + | my keycrypt = 2048; | ||
| + | my KEYLIFEINDAYS = 730; | ||
| + | my COUNTRYCODE = US; ## <====== change to your country code ! | ||
| + | # end of modifications | ||
| + | |||
my $config = esmith::ConfigDB->open; | my $config = esmith::ConfigDB->open; | ||
my $domainsdb = esmith::DomainsDB->open_ro; | my $domainsdb = esmith::DomainsDB->open_ro; | ||
| Line 30: | Line 36: | ||
open(CONFIG, ">$domains[0].config") or die "Can't open openssl config file: $!"; | open(CONFIG, ">$domains[0].config") or die "Can't open openssl config file: $!"; | ||
print CONFIG "HOME = .\nRANDFILE = \$ENV::HOME/.rnd\n\n"; | print CONFIG "HOME = .\nRANDFILE = \$ENV::HOME/.rnd\n\n"; | ||
| − | print CONFIG "[ req ]\ndefault_bits = | + | print CONFIG "[ req ]\ndefault_bits = $keycrypt\ndistinguished_name = req_distinguished_name\n"; |
# if you need a SHA1 csr, uncomment the following row | # if you need a SHA1 csr, uncomment the following row | ||
#print CONFIG "default_md = sha1\n"; | #print CONFIG "default_md = sha1\n"; | ||
print CONFIG "req_extensions = v3_req\nprompt = no\n\n"; | print CONFIG "req_extensions = v3_req\nprompt = no\n\n"; | ||
| − | print CONFIG "[ req_distinguished_name ]\nCN = $domains[0]\n\n"; | + | print CONFIG "[ req_distinguished_name ]\nCN = $domains[0]\n"; |
| + | print CONFIG "countryName = $COUNTRYCODE\n"; | ||
print CONFIG "[ v3_req ]\nbasicConstraints = CA:FALSE\nkeyUsage = nonRepudiation,digitalSignature,keyEncipherment\n"; | print CONFIG "[ v3_req ]\nbasicConstraints = CA:FALSE\nkeyUsage = nonRepudiation,digitalSignature,keyEncipherment\n"; | ||
print CONFIG "subjectAltName = critical,", join ",", map { "DNS:$_,DNS:*.$_" } @domains; | print CONFIG "subjectAltName = critical,", join ",", map { "DNS:$_,DNS:*.$_" } @domains; | ||
| Line 59: | Line 66: | ||
/proc/uptime | /proc/uptime | ||
)), | )), | ||
| − | + | $keycrypt) | |
|| die "can't exec program: $!"; | || die "can't exec program: $!"; | ||
} | } | ||
| Line 76: | Line 83: | ||
qw(req -config), "$domains[0].config", | qw(req -config), "$domains[0].config", | ||
qw(-new -key), "$domains[0].key", | qw(-new -key), "$domains[0].key", | ||
| − | qw(-days | + | qw(-days $KEYLIFEINDAYS -set_serial), time()) |
|| die "can't exec program: $!"; | || die "can't exec program: $!"; | ||
} | } | ||
| Line 90: | Line 97: | ||
*Change permissions | *Change permissions | ||
chmod u+x cacert_csr_request | chmod u+x cacert_csr_request | ||
| + | |||
| + | * change the variable values you need ! | ||
*Execute the file | *Execute the file | ||
| Line 95: | Line 104: | ||
From here replace the <b>{domain}</b> tag with your Primary domain name. Also you will need to have all domains registered with your cacert.org account. This will create a certificate that includes all domains that exists on your sme box as both simple domain.com and wildcard *.domain.com. | From here replace the <b>{domain}</b> tag with your Primary domain name. Also you will need to have all domains registered with your cacert.org account. This will create a certificate that includes all domains that exists on your sme box as both simple domain.com and wildcard *.domain.com. | ||
| + | |||
| + | == footnotes== | ||
| + | |||
| + | this script is helpfull but incomplete. Some configuratiosn info are missing in order to obtain a cert from some CA authorities (http://www.flatmtn.com/article/setting-openssl-create-certificates) .Some of the informations must are missing in the smeserver database like countrycode ... | ||
== obtain .crt file from cacert== | == obtain .crt file from cacert== | ||
Revision as of 23:34, 4 January 2011
Extracted from: http://forums.contribs.org/index.php?topic=34624.0
Author: slords
updated: unnilennium (http://bugs.contribs.org/show_bug.cgi?id=1370)
creating .csr and .key files
As root do the following:
mkdir ~/cacert cd ~/cacert
Make a file named cacert_csr_request
#!/usr/bin/perl use strict; use esmith::util; use esmith::ConfigDB; use esmith::DomainsDB; # variable to edit my keycrypt = 2048; my KEYLIFEINDAYS = 730; my COUNTRYCODE = US; ## <====== change to your country code ! # end of modifications
my $config = esmith::ConfigDB->open;
my $domainsdb = esmith::DomainsDB->open_ro;
my $domain = $config->get('DomainName')->value;
my %domain_names = map { $_->{key} => 1 } grep { $_->key ne $domain } $domainsdb->domains;
my @domains = ($domain, keys %domain_names);
open(CONFIG, ">$domains[0].config") or die "Can't open openssl config file: $!";
print CONFIG "HOME = .\nRANDFILE = \$ENV::HOME/.rnd\n\n";
print CONFIG "[ req ]\ndefault_bits = $keycrypt\ndistinguished_name = req_distinguished_name\n";
# if you need a SHA1 csr, uncomment the following row
#print CONFIG "default_md = sha1\n";
print CONFIG "req_extensions = v3_req\nprompt = no\n\n";
print CONFIG "[ req_distinguished_name ]\nCN = $domains[0]\n";
print CONFIG "countryName = $COUNTRYCODE\n";
print CONFIG "[ v3_req ]\nbasicConstraints = CA:FALSE\nkeyUsage = nonRepudiation,digitalSignature,keyEncipherment\n";
print CONFIG "subjectAltName = critical,", join ",", map { "DNS:$_,DNS:*.$_" } @domains;
print CONFIG "\n";
close(CONFIG) or die "Closing openssl config file reported: $!";
unless ( -f "$domains[0].key" )
{
open(KEY, ">$domains[0].key") or die "Can't open key file: $!";
unless (open(SSL,"-|"))
{
exec("/usr/bin/openssl",
qw(genrsa -rand),
join(':',
qw(
/proc/apm
/proc/cpuinfo
/proc/dma
/proc/filesystems
/proc/interrupts
/proc/ioports
/proc/bus/pci/devices
/proc/rtc
/proc/uptime
)),
$keycrypt)
|| die "can't exec program: $!";
}
while (<SSL>)
{
print KEY $_;
}
close(SSL) or die "Closing openssl pipe reported: $!";
close(KEY) or die "Closing key file reported: $!";
}
open(CSR, ">$domains[0].csr") or die "Can't open csr $!";
unless (open(SSL,"-|"))
{
exec("/usr/bin/openssl",
qw(req -config), "$domains[0].config",
qw(-new -key), "$domains[0].key",
qw(-days $KEYLIFEINDAYS -set_serial), time())
|| die "can't exec program: $!";
}
while (<SSL>)
{
print CSR $_;
}
close(SSL) or die "Closing openssl pipe reported: $!";
close(CSR) or die "Closing csr file reported: $!";
- Change permissions
chmod u+x cacert_csr_request
- change the variable values you need !
- Execute the file
./cacert_csr_request
From here replace the {domain} tag with your Primary domain name. Also you will need to have all domains registered with your cacert.org account. This will create a certificate that includes all domains that exists on your sme box as both simple domain.com and wildcard *.domain.com.
footnotes
this script is helpfull but incomplete. Some configuratiosn info are missing in order to obtain a cert from some CA authorities (http://www.flatmtn.com/article/setting-openssl-create-certificates) .Some of the informations must are missing in the smeserver database like countrycode ...
obtain .crt file from cacert
- Paste the output into the cacert.org website and get your certificate
cat {domain}.csr
configuring your sme with your new certificate
Then save your CA certificate in a file named ~/cacert/{domain}.crt
- Copy to final location
cp {domain}.crt /home/e-smith/ssl.crt/{domain}.crt
cp {domain}.key /home/e-smith/ssl.key/{domain}.key
- Configure SME database
config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
config setprop modSSL key /home/e-smith/ssl.key/{domain}.key
- and apply the changes
signal-event post-upgrade signal-event reboot
Once you have created/installed this certificate then if the client has the cacert.org root certificate installed then they should be able to go to any domain on your box and not get a warning.
