Some software believes passionately in certificates signed by certificate authorities (CA), and will not budge without it.\u00a0 This means that often enough you want to be your own CA. You cannot trust the likes of Diginotar to protect your interests: you need your own certificate authority on your own system … and you need it to be simple, because it should be. On days like this, you need an instant<\/b> way of setting it up, which is what this script is. <\/p>\n
Characteristics of scripts produced by this script:<\/p>\n
If you use this for something serious then take note:<\/p>\n
instant-ssl-ca<\/a> : bash shell script This command gets you:<\/p>\n It’s pretty simple – the hard part is to copy the certificate to where you want it after it has been generated.<\/p>\n So, what did we get? We got a CA certificate (called “ca”) and two client certificates: one called “client.localdomain”, and the other called “server.localdomain”.<\/p>\n Things that you will use this for:<\/p>\n Do the grant like this:<\/p>\n The client side connection is:<\/p>\n The relevant parts of the openvpn server configuration:<\/p>\n Now you can configure it thusly:<\/p>\n Some software believes passionately in certificates signed by certificate authorities (CA), and will not budge without it.\u00a0 This means that often enough you want to be your own CA. You cannot trust the likes of Diginotar to protect your interests: … Continue reading
\nLicence: GPL (GNU Public Licence v3)<\/p>\nUsage<\/h2>\n
\n
\r\n$ .\/instant-ssl-ca --ssl server.localdomain client.localdomain<\/b>\r\n\r\n*****************************************************************\r\nMaking key named server.localdomain\r\n*****************************************************************\r\n\r\n*****************************************************************\r\nCreating Certificate Authority: ca.{key,crt}\r\n*****************************************************************\r\nGenerating a 1024 bit RSA private key\r\n...............++++++\r\n.......++++++\r\nwriting new private key to 'ca\/ca.key'\r\n-----\r\nYou are about to be asked to enter information that will be incorporated\r\ninto your certificate request.\r\nWhat you are about to enter is what is called a Distinguished Name or a DN.\r\nThere are quite a few fields but you can leave some blank\r\nFor some fields there will be a default value,\r\nIf you enter '.', the field will be left blank.\r\n-----\r\nCountry Name (2 letter code) [ZA]:State or Province Name (full name) [Somewhere]:Locality Name (eg, city) [Someplace]:Organization Name (eg, company) [Somepeople]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) [ca]:Email Address [someone@somewhere.else]:\r\n*****************************************************************\r\nCreating certificate signing request server.localdomain.csr\r\n*****************************************************************\r\nGenerating a 1024 bit RSA private key\r\n...++++++\r\n........++++++\r\nwriting new private key to 'server.localdomain.key'\r\n-----\r\nYou are about to be asked to enter information that will be incorporated\r\ninto your certificate request.\r\nWhat you are about to enter is what is called a Distinguished Name or a DN.\r\nThere are quite a few fields but you can leave some blank\r\nFor some fields there will be a default value,\r\nIf you enter '.', the field will be left blank.\r\n-----\r\nCountry Name (2 letter code) [ZA]:State or Province Name (full name) [Somewhere]:Locality Name (eg, city) [Someplace]:Organization Name (eg, company) [Somepeople]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) [server.localdomain]:Email Address [someone@somewhere.else]:\r\nPlease enter the following 'extra' attributes\r\nto be sent with your certificate request\r\nA challenge password []:An optional company name []:\r\n*****************************************************************\r\nCertificate authority signing certificate => server.localdomain.crt\r\n*****************************************************************\r\nUsing configuration from ca\/openssl.cnf\r\nCheck that the request matches the signature\r\nSignature ok\r\nThe Subject's Distinguished Name is as follows\r\ncountryName :PRINTABLE:'ZA'\r\nstateOrProvinceName :PRINTABLE:'Somewhere'\r\nlocalityName :PRINTABLE:'Someplace'\r\norganizationName :PRINTABLE:'Somepeople'\r\ncommonName :PRINTABLE:'server.localdomain'\r\nemailAddress :IA5STRING:'someone@somewhere.else'\r\nCertificate is to be certified until Apr 30 18:28:28 2042 GMT (10950 days)\r\nSign the certificate? [y\/n]:\r\n\r\n1 out of 1 certificate requests certified, commit? [y\/n]Write out database with 1 new entries\r\nData Base Updated\r\n\r\n*****************************************************************\r\nOutput directory is .\/server.localdomain\r\n*****************************************************************\r\n\r\n*****************************************************************\r\nMaking key named client.localdomain\r\n*****************************************************************\r\nCA: ca\/ca.key and ca\/ca.crt exist\r\n\r\n*****************************************************************\r\nCreating certificate signing request client.localdomain.csr\r\n*****************************************************************\r\nGenerating a 1024 bit RSA private key\r\n................................................................++++++\r\n...........++++++\r\nwriting new private key to 'client.localdomain.key'\r\n-----\r\nYou are about to be asked to enter information that will be incorporated\r\ninto your certificate request.\r\nWhat you are about to enter is what is called a Distinguished Name or a DN.\r\nThere are quite a few fields but you can leave some blank\r\nFor some fields there will be a default value,\r\nIf you enter '.', the field will be left blank.\r\n-----\r\nCountry Name (2 letter code) [ZA]:State or Province Name (full name) [Somewhere]:Locality Name (eg, city) [Someplace]:Organization Name (eg, company) [Somepeople]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) [client.localdomain]:Email Address [someone@somewhere.else]:\r\nPlease enter the following 'extra' attributes\r\nto be sent with your certificate request\r\nA challenge password []:An optional company name []:\r\n*****************************************************************\r\nCertificate authority signing certificate => client.localdomain.crt\r\n*****************************************************************\r\nUsing configuration from ca\/openssl.cnf\r\nCheck that the request matches the signature\r\nSignature ok\r\nThe Subject's Distinguished Name is as follows\r\ncountryName :PRINTABLE:'ZA'\r\nstateOrProvinceName :PRINTABLE:'Somewhere'\r\nlocalityName :PRINTABLE:'Someplace'\r\norganizationName :PRINTABLE:'Somepeople'\r\ncommonName :PRINTABLE:'client.localdomain'\r\nemailAddress :IA5STRING:'someone@somewhere.else'\r\nCertificate is to be certified until Apr 30 18:28:28 2042 GMT (10950 days)\r\nSign the certificate? [y\/n]:\r\n\r\n1 out of 1 certificate requests certified, commit? [y\/n]Write out database with 1 new entries\r\nData Base Updated\r\n\r\n*****************************************************************\r\nOutput directory is .\/client.localdomain\r\n*****************************************************************\r\n<\/pre>\n\r\n$ find <\/b>\r\n.\r\n.\/client.localdomain\r\n.\/client.localdomain\/client.localdomain.crt\r\n.\/client.localdomain\/client.localdomain.pem\r\n.\/client.localdomain\/client.localdomain.key\r\n.\/client.localdomain\/ca.crt\r\n.\/.rnd\r\n.\/ca\r\n.\/ca\/01.pem\r\n.\/ca\/ca.key\r\n.\/ca\/index.txt\r\n.\/ca\/index.txt.attr\r\n.\/ca\/index.txt.attr.old\r\n.\/ca\/serial\r\n.\/ca\/index.txt.old\r\n.\/ca\/02.pem\r\n.\/ca\/serial.old\r\n.\/ca\/ca.crt\r\n.\/ca\/openssl.cnf\r\n.\/ca\/ca.der\r\n.\/server.localdomain\r\n.\/server.localdomain\/server.localdomain.pem\r\n.\/server.localdomain\/server.localdomain.key\r\n.\/server.localdomain\/server.localdomain.crt\r\n.\/server.localdomain\/ca.crt\r\n.\/instant-ssl-ca\r\n<\/pre>\n
Applications<\/h2>\n
\n
\nYou configure the certificate in the server’s my.cnf, and then restart:<\/p>\nssl-ca=\/etc\/mysql\/ssl\/ca.crt\r\nssl-key=\/etc\/mysql\/ssl\/server.localdomain.key\r\nssl-cert=\/etc\/mysql\/ssl\/server.localdomain.crt<\/pre>\n
GRANT ALL PRIVILEGES \r\n ON `database_name`.* to 'username'@'%' \r\n IDENTIFIED BY 'password' \r\n REQUIRE SSL<\/b>;\r\n<\/pre>\n
mysql --ssl-ca=$HOME\/.mysql\/ca.crt \\\r\n --ssl-key=$HOME\/.mysql\/client.localdomain.key \\\r\n --ssl-cert=$HOME\/.mysql\/client.localdomain.crt \\\r\n -u 'username -p'password' -h 'server.localdomain' database_name<\/pre>\n<\/li>\n
\nThe certificate parts of the openvpn client configuration are:<\/p>\nopenvpn --client \\\r\n --tls-remote server.localdomain \\\r\n --ca ca.crt --cert client.localdomain.crt --key client.localdomain.key\r\n<\/pre>\n
openvpn --server 10.123.0.0 255.255.255.0 \\\r\n --ca ca.crt --cert server.localdomain.crt --key server.localdomain.key\r\n<\/pre>\n<\/li>\n
openssl rsa < server.localdomain.key > server.localdomain.rsakey<\/pre>\n
[\r\n {rabbit, [\r\n {ssl_listeners,[5671]},\r\n {ssl_options, [{cacertfile,\"\/etc\/rabbitmq\/ca.crt\"},\r\n {certfile,\"\/etc\/rabbitmq\/server.localdomain.crt\"},\r\n {keyfile,\"\/etc\/rabbitmq\/server.localdomain.rsakey\"},\r\n {verify,verify_peer},\r\n {fail_if_no_peer_cert,true}]}\r\n ]}\r\n].<\/pre>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"