|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Issue and self-sign internal certificates
|
Yes, you would need to edit CA.pl, or CA.sh if you're more comfortable with bash than perl. For either language it should be pretty trivial to modify it to interactively request a filename, or take one via a command line argument. In 9.10 CA.pl and CA.sh are in /usr/lib/ssl/misc but although they were included with the distribution they're not really finished tools; they're more stub scripts that you can modify to your liking assuming you know bash or perl.
Of course you don't necessarily have to use a command line tool. There's a PHP-based project that lets you set up a CA and sign requests here: http://sourceforge.net/projects/php-ca/ and although it's not quite a finished product either it's closer to a user-friendly GUI-based CA. That's just the one I've used recently; there's another one I noticed called PHPKI and I assume there are other options as well.
--Gordon
On Fri, Oct 29, 2010 at 11:21 AM, Mike Leone <turgon@mike-leone.com> wrote:
I'm need to issue self-signed certificates for the various webservers in my organization to use (for internal use only). And I'm confused by the documentation and examples.
Using Ubuntu 9.10
So I created a new Certificate Authority, by following
<https://help.ubuntu.com/community/OpenSSL/>. And so I did a
openssl req -x509 -newkey rsa:2048 -out Internal-CA-cert.pem -outform PEM -days 3650
And so I now have a cert and private key (called Internal-CA-Private-Key.pem, so I know at a glance what it is :-) for my new CA. And I've modified the openssl.cnf "CA_default" section to use those names
certificate = $dir/Internal-CA-cert.pem
private_key = $dir/private/Internal-CA-Private-Key.pem
At this point, I should be able to process cert requests from my webservers (all of which run Windows, and use WebLogic as a webserver), and issue them signed certs. So here's where I am confused.
I know there is the CA.pl utility I can use to this, by just "CA.pl -sign". Quick and simple, just the way I like'em. But how/where do I specify the request file name? It seems to expect the request to be in a file called "newreq.pem" (not that I see that in the documentation, but it only works if the file is that name).
And I want it to prompt me for the name, rather than forcing me to rename each request file to be "newreq,pem", so I can track which servers I've processed requests from. And I want to be prompted for the cert name to save, for the same reason - I don't want to be renaming "newcert.pem" each time.
I can't seem to figure out what I need to change, in order to be prompted for the cert request name, and for the signed certificate name. Do I need to be editing CA.pl or something?
I'm doing this from a VM that only has a command line environment, not GUI, otherwise I thought about using TinyCA.
Thoughts/suggestions?
--
Michael J. Leone, <mailto:turgon@mike-leone.com>
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>
Network apparatchik and all-around drudge.
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|