File: How_to_generate_SSL_keys.html

package info (click to toggle)
cherokee 0.7.2-4
  • links: PTS
  • area: main
  • in suites: lenny
  • size: 8,808 kB
  • ctags: 6,577
  • sloc: ansic: 45,071; python: 9,628; sh: 9,468; makefile: 1,639; xml: 61; perl: 32
file content (139 lines) | stat: -rw-r--r-- 5,093 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
 
<html>
<head>
    <title>How to generate SSL keys</title>
    <link href="media/css/documentation.css" type="text/css" rel="stylesheet" />
</head>

<body>
    
    
    <h1>How to generate SSL keys</h1>
    
    <div class="section" id="locate-ca-pl-or-ca-sh">
<h1>Locate CA.pl or CA.sh</h1>
<p>In Debian GNU/Linux are located in /usr/lib/ssl/misc/</p>
<p><tt class="docutils literal"><span class="pre">find</span> <span class="pre">/</span> <span class="pre">-iname</span> <span class="pre">CA.pl</span> <span class="pre">-print</span></tt> might help.</p>
</div>
<div class="section" id="create-a-new-ca">
<h1>Create a new CA</h1>
<pre class="literal-block">
$ /usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create) &lt;press enter&gt;
Making CA certificate ...
Generating a 1024 bit RSA private key
.............++++++
.......................................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase: &lt;type the secret phrase again&gt;
Verifying - Enter PEM pass phrase: &lt;type the secret phrase again&gt;
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cherokee Team
Organizational Unit Name (eg, section) []:&lt;Enter&gt;
Common Name (eg, YOUR name) []:Cherokee Certificate Master
Email Address []:alvaro&#64;alobbs.com
</pre>
</div>
<div class="section" id="generate-a-certificate-request">
<h1>Generate a certificate request</h1>
<pre class="literal-block">
$ /usr/lib/ssl/misc/CA.pl -newreq
Generating a 1024 bit RSA private key
.....................................++++++
...++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase: &lt;anothe phrase&gt;
Verifying - Enter PEM pass phrase: &lt;repeat it&gt;
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cherokee web server
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:www.cherokee-project.com
Email Address []:sysop&#64;cherokee-project.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: &lt;Enter&gt;
An optional company name []: &lt;Enter&gt;
Request (and private key) is in newreq.pem
</pre>
</div>
<div class="section" id="sign-the-certificate-request">
<h1>Sign the certificate request</h1>
<pre class="literal-block">
$ /usr/lib/ssl/misc/CA.pl -sign:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
      Serial Number: 1 (0x1)
      Validity:
          Not Before: Aug 17 13:12:44 2003 GMT
          Not After : Aug 16 13:12:44 2004 GMT
      Subject:
          countryName               = ES
          organizationName          = Cherokee web server
          commonName                = www.cherokee-project.com
          emailAddress              = sysop&#64;cherokee-project.com
      X509v3 extensions:
          X509v3 Basic Constraints:
          CA:FALSE
          Netscape Comment:
          OpenSSL Generated Certificate
          X509v3 Subject Key Identifier:
          14:6A:45:66:A2:EB:73:74:5A:C5:68:80:50:D5:48:94:DD:ED:25:F7
          X509v3 Authority Key Identifier:
          keyid:9E:E0:E2:6E:1B:02:17:F2:72:C9:0D:E3:DA:C9:E1:8F:CE:BC:6E:A2
          DirName:/C=ES/ST=Madrid/L=Madrid/O=Cherokee Team/CN=Cherokee Certificate Master/emailAddress=alvaro&#64;alobbs.com
          serial:00

Certificate is to be certified until Aug 16 13:12:44 2004 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
</pre>
</div>
<div class="section" id="self-signed-certificates">
<h1>Self signed certificates</h1>
<p>It's another way to generate certificate files. Ramon Pons sent this little script to create
self signed certificates:</p>
<pre class="literal-block">
#!/bin/sh
CERTNAME=cherokee.pem
openssl req -days 1000 -new -x509 -nodes -out $CERTNAME -keyout $CERTNAME
chmod 600 $CERTNAME
openssl verify $CERTNAME
if [ $? != 0 ]; then
    \mv $CERTNAME $CERTNAME.not_valid
fi
</pre>
</div>

    

    
</body>
</html>