Re: OpenSSL Certificate Creation

From: D. Stussy (kd6lvw@bde-arc.ampr.org)
Date: 05/09/02


From: "D. Stussy" <kd6lvw@bde-arc.ampr.org>
Date: Thu, 09 May 2002 00:15:05 GMT

On Thu, 2 May 2002, Ray Lassiter wrote:
>Well, I have been reading and testing for about a week now and can't quite
>find anything that ties it all together. I have an apache webserver,
>openssl, mod_ssl. I was able to generate a selfsigned cert using openssl -
>genrsa commands. I put the cert and key in the httpd/conf/ssl dir and
>everything seemed to work.
>
>My problem is that I can't figure out how to generate a client cert from the
>previously created server certs. I would like to make it so that the cert is
>required to connect to he server. I used the CA.pl script to generate a CA
>but I end up with some .pem files. I am even able to create a .p12 file that
>I can import to MSIE. The problem is how do I link them to server
>certificates so that they are needed to connect to wevserver.
>
>I have searched every possibility, that I can come up with, on google but to
>no avail. Any pointers to solving this problem??

I wish the documentation and stuff, including the web pages of others, were a
bit more straightforward on how to do this. Although it is nice to know how
things work, sometimes people simply want the "quick and dirty" approach.
Therefore, here are my scripts:

A single parameter: An Integer - number of days until certificate expires.

Generate Certificate Authority self-signed certificate:
-------------------------------------------------------------------------------
#!/bin/sh
cd /usr/local/ssl/private
CONFIG="-config ../openssl.cnf"
openssl req -new -x509 -keyout CAKey.pem -out CACert.pem -days $1 $CONFIG
exec openssl x509 -inform pem -outform der <CACert.pem >CACert.der
-------------------------------------------------------------------------------
The last step is needed only because ".der" is used by Micro$oft, but everyone
else uses ".pem". If you don't care about M$ programs, it may be skipped.

Generate THREE "user" certificates for web server, mail server, and mail client:
-------------------------------------------------------------------------------
#!/bin/sh
cd /usr/local/ssl
mkdir newcerts ; cd newcerts
echo Web Server Certificate:
openssl req -new -keyout newreq.pem -out newreq.pem -config ../openssl.cnf
openssl ca -policy policy_any -out ../certs/webserver.pem -infiles newreq.pem
openssl rsa <newreq.pem >webserver.key
rm -f newreq.pem

echo Mail Server Certificate:
openssl req -new -keyout newreq.pem -out newreq.pem -config ../openssl.cnf
openssl ca -policy policy_any -out ../certs/mailserver.pem -infiles newreq.pem
openssl rsa <newreq.pem >mailserver.key
rm -f newreq.pem

echo Mail Client Certificate:
openssl req -new -keyout newreq.pem -out newreq.pem -config ../openssl.cnf
openssl ca -policy policy_any -out ../certs/mailclient.pem -infiles newreq.pem
openssl rsa <newreq.pem >mailclient.key
rm -f newreq.pem

mv -v *.key ../private ; cd ..
chgrp html */web*
chgrp mail */mail*
exec rm -r newcerts
-------------------------------------------------------------------------------



Relevant Pages

  • Re: Web Certificate for IIS Server on SBS Domain
    ... Before your reply, I actually ran across rapidssl myself, and have ordered and installed the free 30-day certificate on my site. ... I explained what you'd told me about putting my existing configuration at risk by installing Cert Services, and he said he didn't know that. ... Again, if you're just needing a cert to install on your web server to provide SSL connectivity for remote users, go with an external third-party provider. ... When you add Certificate Services on an internal network, lots of internal communications will start using pieces provided by the Cert Server instead of the defaults from Server 2003, and when things blow up, they can blow up gloriously. ...
    (microsoft.public.windows.server.sbs)
  • Re: Activesync between Windows Mobile 5 and SBS2003 gives error
    ... If you don't find a cert here that matches the URL for OWA, you need to re-run the CEICW wizard on the SBS box and re-create the self signed cert. ... I exported the certificate straight from the server. ... Treo 700wx running Windows Mobile 5. ...
    (microsoft.public.windows.server.sbs)
  • Re: Terminal Services over a VPN
    ... Create a certificate request and submit it to godaddy in order to obtain a public cert. ... You can use the wizard in IIS Manager for this by creating a new website that matches the above name (on your TS server), right-click and choose properties, directory security tab, server certificate button. ... After the install you can stop or delete the website created above since you don't need it for anything. ...
    (microsoft.public.windows.terminal_services)
  • Re: SBS 2003 Premium and Cert Services
    ... that philosphy got blown out of the equation when SBS included Exchange OWA ... "Small Business Server" which is MS claim as to why the risk of exposing the ... the Certificate Server on another server, ... >> Cert, or you could edit the properties of your Certification Authority to ...
    (microsoft.public.windows.server.sbs)
  • Re: Web Certificate for IIS Server on SBS Domain
    ... and installed the free 30-day certificate on my site. ... instructions to install Certificate Services. ... If I can find a way to issue my own cert without risking my SBS setup, ... > Server instead of the defaults from Server 2003, and when things blow up, ...
    (microsoft.public.windows.server.sbs)