[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: question about TLS
Jack Walcik wrote:
>i created /etc/ssl/certs to store my certificates in. cd'd into it,
>and i've run "CA -newca". it prompts me for a filename to create as
>the certificate, and then tells me it can't stat the file, and creates
>a directory called demoCA w/ a bunch of empty files and directories in
>it. however, if i just hit enter when prompted, it asks me for the
>certificate information, and then creates the demoCA directory with
>populated files (the certificate and private key).
Hitting enter is the right way to create your CA cert and private key.
See demoCA/cacert.pem and demoCA/private/cakey.pem. BTW, you don't have to
create the CA in /etc/ssl/certs. It can be any secure place on your
system. It is important to run the commands given here from that
directory.
>okay, so i have the cert and the private key, my question is, what do i
>do next? when i run the openssl command listed in the doc to create
>the certificate request:
> openssl req -new -nodes -keyout newreq.pem -out newreq.pem
This is correct too, but newreq.pem is a CSR that needs to be signed by
your newly created CA cert.
If newreq.pem is a server cert, make sure the common name given is the name
of the server and not YOUR name as the prompts suggests.
>am i supposed to be pointing it at the public certificate created
>above? or at a new, empty file?
To sign:
CA.sh -sign and follow the prompts.
The script already knows it is signing "newreq.pem".
The result will be a CA signed cert (newcert.pem) and a private key
(newreq.pem). They should be renamed (in order to start the process for
future certs) and copied to your cert repository:
(example)
mv newcert.pem /etc/ssl/certs/mycert.pem
mv newreq.pem /etc/ssl/certs/mykey.pem
chmod 600 /etc/ssl/certs/mykey.pem
Cheers,
Kent Soper
"You don't stop playing because you grow old ...
you grow old because you stop playing."
Linux Technology Center, Linux Security
e-mail: dksoper@us.ibm.com