|
Wanna see a real web page on this topic? Check out the OpenSSL Certificate Cookbook instead.
I make a few assumptions here--- that you're running in
/usr/local/ptudorCA and that at least these lines your openssl.conf
are setup similar to this:
[ CA_default ]
dir = /usr/local/CertificateAuthority
certificate = $dir/ptudorrootcert.pem
commonName = Common Name (eg, server name)
commonName_default = %%servername
emailAddress = Email Address
emailAddress_default = cert@%%servername
And that you've already setup your root CA. If you haven't gotten that
far, check out Being
your own CA. Or just openssl req -new -x509 -keyout
/usr/local/CertificateAuthority/private/RootKey.orgname.pem -out /usr/local/CertificateAuthority/RootCert.orgname.pem
-days 1826
This script takes as an argument the name of the server the cert is for
and puts everything in a directory named after that server. It generates
the key request and then signs it.
dir=/usr/local/ptudorCA
tmp=/tmp
umask 077
if [ "$1" = "" ]
then
echo " This script requires an argument of the name of the server"
echo " this certificate is for. Try again."
exit 99
fi
mkdir $1
perl -pi -e "s/%%servername/$1/g" $dir/openssl.cnf
echo -e "\nIf you screwed up the hostname, DO NOT press ^c. Finish then revoke it."
echo -e "\n\nFirst we generate the certificate request and private key:\n\n"
openssl req -nodes -new -x509 -keyout $dir/$1/$1-key.pem -out $dir/$1/$1-key.pem \
-days 1461 -config $dir/openssl.cnf
echo -e "\n\nNow we sign it with our root CA\n\n"
openssl x509 -x509toreq -in $dir/$1/$1-key.pem -signkey $dir/$1/$1-key.pem \
-out $tmp/tmp.pem
openssl ca -config $dir/openssl.cnf -policy policy_anything -out \
$dir/$1/$1-cert.pem -infiles $tmp/tmp.pem
rm -f $tmp/tmp.pem
perl -pi -e "s/$1/%%servername/g" $dir/openssl.cnf
If you have any Microsoft IIS4/NT4 clients you need to change the
format of the key from pem to a net key pair for
KeyManager to be able to import the certificate and key.
Again, it takes the hostname as an arg. It uses the hostname
as the default password.
umask 077
if [ "$1" = "" ]
then
echo " This script requires an argument of the name of the server"
echo " this certificate is for. Try again."
exit 99
fi
echo -en "\nConverting..."
openssl rsa -inform PEM -in $1/$1-key.pem -out $1/$1-key.net -outform NET
echo -en "done\n\n"
For IIS5/win2k it's slightly different. The default password is again set to the
name of the host.
umask 077
if [ "$1" = "" ]
then
echo " This script requires an argument of the name of the server"
echo " this certificate is for. Try again."
exit 99
fi
echo -en "\nConverting..."
openssl pkcs12 -export -inkey $1/$1-key.pem -in $1/$1-cert.pem \
-out $1/$1-key.pks -password pass:$1 -name "$1 PKS Certificate"
echo -en "done\n\n"
see also:
OpenSSL
OpenCA
Being
your own CA
|
|