[Linux-bruxelles] [ssl - apache] certificats
eric Hanuise
ehanuise at fantasybel.net
Dim 7 Sep 22:52:42 CEST 2003
At 18:52 07/09/2003 +0200, you wrote:
>Bonjour la liste !
>
>Voilà j'ai deux serveurs chez moi et j'ai déjà créé un CA pour mon premier
>serveur, maintenant j'aimerais générer un .crt et .key pour mon 2eme serveur
>et le faire valider par le CA déjà créé.
>
>Je n'ai aucune idée comment procéder et malheureusement ni google ni un man
>CA.pl ou CA ne m'a aidé...
>
>Pourriez vous m'indiquer comment procéder ?
>
>Merci d'avance,
>Alexandre
>
j'ai des scripts pour ce genre de trucs :
1) generatekeys.sh :
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#!/bin/bash
echo ----------------------------------------
echo creating dsa and rsa dirs
echo ----------------------------------------
mkdir ./dsa
mkdir ./rsa
echo ----------------------------------------
echo creating dsa parameters for CA
echo ----------------------------------------
/usr/bin/openssl dsaparam -out ./dsa/CA.prm -rand /var/log/messages 1024
echo ----------------------------------------
echo generating CA RSA private key
echo do NOT use same CN and ON for CA and target
echo use for instance self-cert.yourdomain.net
echo ----------------------------------------
/usr/bin/openssl genrsa -out ./rsa/CA.key -rand /var/log/messages 1024
echo ----------------------------------------
echo generating CA DSA private key
echo do NOT use same CN and ON for CA and target
echo use for instance self-cert.yourdomain.net
echo ----------------------------------------
/usr/bin/openssl gendsa -out ./dsa/CA.key -rand /var/log/messages ./dsa/CA.prm
echo ----------------------------------------
echo generating RSA CA certification signing request
echo ----------------------------------------
/usr/bin/openssl req -new -key ./rsa/CA.key -out ./rsa/CA.csr
echo ----------------------------------------
echo generating DSA CA certification signing request
echo ----------------------------------------
/usr/bin/openssl req -new -key ./dsa/CA.key -out ./dsa/CA.csr
echo ----------------------------------------
echo generating self-signed RSA CA x509 certificate
echo ----------------------------------------
/usr/bin/openssl x509 -in ./rsa/CA.csr -out ./rsa/CA.crt -req -signkey
./rsa/CA.key
echo ----------------------------------------
echo generating self-signed DSA CA x509 certificate
echo ----------------------------------------
/usr/bin/openssl x509 -in ./dsa/CA.csr -out ./dsa/CA.crt -req -signkey
./dsa/CA.key
echo ----------------------------------------
echo generating DSA server parameters
echo ----------------------------------------
/usr/bin/openssl dsaparam -out ./dsa/server.prm -rand /var/log/messages 1024
echo ----------------------------------------
echo generating RSA server private key
echo ----------------------------------------
/usr/bin/openssl genrsa -out ./rsa/server.key -rand /var/log/messages 1024
echo ----------------------------------------
echo generating DSA server private key
echo ----------------------------------------
/usr/bin/openssl gendsa -out ./dsa/server.key -rand /var/log/messages
./dsa/server.prm
echo ----------------------------------------
echo generating RSA server certification signing request
echo ----------------------------------------
/usr/bin/openssl req -new -key ./rsa/server.key -out ./rsa/server.csr
echo ----------------------------------------
echo generating DSA server certification signing request
echo ----------------------------------------
/usr/bin/openssl req -new -key ./dsa/server.key -out ./dsa/server.csr
echo ----------------------------------------
echo generating CA signed server RSA certificate
echo ----------------------------------------
/usr/bin/openssl x509 -in ./rsa/server.csr -days 365 -CAcreateserial -CA
./rsa/CA.crt -CAkey ./rsa/CA.key -req -out ./rsa/server.crt
echo ----------------------------------------
echo generating CA signed DSA server certificate
echo ----------------------------------------
/usr/bin/openssl x509 -in ./dsa/server.csr -days 365 -CAcreateserial -CA
./dsa/CA.crt -CAkey ./dsa/CA.key -req -out ./dsa/server.crt
echo ----------------------------------------
echo Done
echo ----------------------------------------
ls -al ./rsa/
echo ----------------------------------------
ls -al ./dsa/
echo ----------------------------------------
echo now run copykeys.sh and then do issue a make
echo in each folder with a makefile in etc-apache-ssl.xxx
echo -----------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2) copykeys.sh
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#!/bin/bash
cp ./rsa/server.crt /etc/apache/ssl.crt/rsa-server.crt
cp ./dsa/server.crt /etc/apache/ssl.crt/dsa-server.crt
cp ./rsa/CA.crt /etc/apache/ssl.crt/rsa-CA.crt
cp ./dsa/CA.crt /etc/apache/ssl.crt/dsa-CA.crt
openssl rsa -in ./rsa/server.key -out /etc/apache/ssl.key/rsa-server.key
openssl dsa -in ./dsa/server.key -out /etc/apache/ssl.key/dsa-server.key
chmod 400 /etc/apache/ssl.key/rsa-server.key
chmod 400 /etc/apache/ssl.key/dsa-server.key
/etc/apache/ssl.crt make clean
/etc/apache/ssl.crt make
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
NB : le 'make clean' et le 'make' servent a recreer les liens des
certificats de apache, mais suivant ta version de apache, ca peut se
presenter autrement.
----------------------------------------------------------------------
Eric Hanuise - ehanuise at fantasybel dot net
"If it works, don't fix it"
----------------------------------------------------------------------
() ascii ribbon campaign - against html mail
/\ - against microsoft attachments
Why HTML in E-Mail is a Bad Idea
http://www.birdhouse.org/etc/evilmail.html
Plus d'informations sur la liste de diffusion Linux-bruxelles