Gordon Dexter on 29 Oct 2010 22:49:09 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Issue and self-sign internal certificates

Yes, you would need to edit CA.pl, or CA.sh if you're more comfortable with bash than perl.  For either language it should be pretty trivial to modify it to interactively request a filename, or take one via a command line argument.  In 9.10 CA.pl and CA.sh are in /usr/lib/ssl/misc but although they were included with the distribution they're not really finished tools; they're more stub scripts that you can modify to your liking assuming you know bash or perl.

Of course you don't necessarily have to use a command line tool.  There's a PHP-based project that lets you set up a CA and sign requests here: http://sourceforge.net/projects/php-ca/ and although it's not quite a finished product either it's closer to a user-friendly GUI-based CA.  That's just the one I've used recently; there's another one I noticed called PHPKI and I assume there are other options as well.


On Fri, Oct 29, 2010 at 11:21 AM, Mike Leone <turgon@mike-leone.com> wrote:
I'm need to issue self-signed certificates for the various webservers in my organization to use (for internal use only). And I'm confused by the documentation and examples.

Using Ubuntu 9.10

So I created a new Certificate Authority, by following
<https://help.ubuntu.com/community/OpenSSL/>. And so I did a

openssl req -x509 -newkey rsa:2048 -out Internal-CA-cert.pem -outform PEM -days 3650

And so I now have a cert and private key (called Internal-CA-Private-Key.pem, so I know at a glance what it is :-) for my new CA.  And I've modified the openssl.cnf "CA_default" section to use those names

certificate = $dir/Internal-CA-cert.pem
private_key = $dir/private/Internal-CA-Private-Key.pem

At this point, I should be able to process cert requests from my webservers (all of which run Windows, and use WebLogic as a webserver), and issue them signed certs. So here's where I am confused.

I know there is the CA.pl utility I can use to this, by just "CA.pl -sign". Quick and simple, just the way I like'em. But how/where do I specify the request file name? It seems to expect the request to be in a file called "newreq.pem" (not that I see that in the documentation, but it only works if the file is that name).

And I want it to prompt me for the name, rather than forcing me to rename each request file to be "newreq,pem", so I can track which servers I've processed requests from. And I want to be prompted for the cert name to save, for the same reason - I don't want to be renaming "newcert.pem" each time.

I can't seem to figure out what I need to change, in order to be prompted for the cert request name, and for the signed certificate name. Do I need to be editing CA.pl or something?

I'm doing this from a VM that only has a command line environment, not GUI, otherwise I thought about using TinyCA.


Michael J. Leone, <mailto:turgon@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

Network apparatchik and all-around drudge.

Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug