Difference between revisions of "Certificates"

From Nuclear Physics Group Documentation Pages
Jump to navigationJump to search
Line 9: Line 9:
 
To resign a certificate use these two commands:
 
To resign a certificate use these two commands:
  
openssl req -new -key www.physics.unh.edu.key -out www.physics.unh.edu.csr
+
: openssl req -new -key www.physics.unh.edu.key -out www.physics.unh.edu.csr
openssl x509 -req -days 3652 -in www.physics.unh.edu.csr -signkey www.physics.unh.edu.key -out www.physics.unh.edu.crt
+
: openssl x509 -req -days 3652 -in www.physics.unh.edu.csr -signkey www.physics.unh.edu.key -out www.physics.unh.edu.crt
  
 
=== Find out what the certificate is ===
 
=== Find out what the certificate is ===
  
openssl x509 -text -in root_dn.crt
+
: openssl x509 -text -in root_dn.crt
  
 
This will print the certificate in text form.
 
This will print the certificate in text form.

Revision as of 23:02, 12 October 2015

We can consider buying a legitimate certificate, rather than home-brew ones:

You need a key and a certificate to operate your secure server — which means that you can either generate a self-signed certificate or purchase a CA-signed certificate from a CA. What are the differences between the two?

A CA-signed certificate provides two important capabilities for your server:

  • Browsers (usually) automatically recognize the certificate and allow a secure connection to be made, without prompting the user.
  • When a CA issues a signed certificate, they are guaranteeing the identity of the organization that is providing the webpages to the browser.

says RedHat.

The certificate used for LDAP is located at /etc/openldap/root_dn.crt. Do we use the same certificate for everything? If that's only for LDAP then there's no benefit to buying one from an authority, because we're the ones that copy it to each client.

To resign a certificate

To resign a certificate use these two commands:

openssl req -new -key www.physics.unh.edu.key -out www.physics.unh.edu.csr
openssl x509 -req -days 3652 -in www.physics.unh.edu.csr -signkey www.physics.unh.edu.key -out www.physics.unh.edu.crt

Find out what the certificate is

openssl x509 -text -in root_dn.crt

This will print the certificate in text form.

Aaron's fantastic certificate stuff

Fantastic, except, it does not work, and nothing is explained, so it really is not so fantastic at all.

Aaron stopped by for a power cable, and we made him pay for it by telling us that roentgen is our Certificate Authority.

To make a new certificate for a machine ("rood_dn" is the hostname of the server the cert is for):

  1. log onto roentgen
  2. cd /usr/share/ssl/certs
  3. if a certificate already exists for that machine:
    1. revoke it with openssl ca -revoke root_dn.crt
    2. move it to the old folder
  4. make root_dn.csr
  5. openssl req -new -key root_dn.key -out root_dn.csr -subj '/DC=edu/DC=unh/DC=physics/CN=root'
  6. openssl ca -policy policy_anything -days 3650 -preserveDN -in root_dn.csr -out root_dn.crt
  7. openssl x509 -nameopt RFC2253 -subject -noout -in /root/.ssl/root_dn.crt
  8. copy these newly generated crt, csr, and key files to /etc/openldap/cacerts/ on the machine they were generated for