Mike Leone on 29 Oct 2010 08:22:00 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Issue and self-sign internal certificates


I'm need to issue self-signed certificates for the various webservers in my organization to use (for internal use only). And I'm confused by the documentation and examples.

Using Ubuntu 9.10

So I created a new Certificate Authority, by following
<https://help.ubuntu.com/community/OpenSSL/>. And so I did a

openssl req -x509 -newkey rsa:2048 -out Internal-CA-cert.pem -outform PEM -days 3650

And so I now have a cert and private key (called Internal-CA-Private-Key.pem, so I know at a glance what it is :-) for my new CA. And I've modified the openssl.cnf "CA_default" section to use those names

certificate = $dir/Internal-CA-cert.pem
private_key = $dir/private/Internal-CA-Private-Key.pem

At this point, I should be able to process cert requests from my webservers (all of which run Windows, and use WebLogic as a webserver), and issue them signed certs. So here's where I am confused.

I know there is the CA.pl utility I can use to this, by just "CA.pl -sign". Quick and simple, just the way I like'em. But how/where do I specify the request file name? It seems to expect the request to be in a file called "newreq.pem" (not that I see that in the documentation, but it only works if the file is that name).

And I want it to prompt me for the name, rather than forcing me to rename each request file to be "newreq,pem", so I can track which servers I've processed requests from. And I want to be prompted for the cert name to save, for the same reason - I don't want to be renaming "newcert.pem" each time.

I can't seem to figure out what I need to change, in order to be prompted for the cert request name, and for the signed certificate name. Do I need to be editing CA.pl or something?

I'm doing this from a VM that only has a command line environment, not GUI, otherwise I thought about using TinyCA.

Thoughts/suggestions?

--
Michael J. Leone, <mailto:turgon@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

Network apparatchik and all-around drudge.

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug