[Savannah-cvs] administration/docs/hacking_savannah hacking_sa...

[Sylvain Beucler]

CVSROOT:        /cvsroot/administration
Module name:    administration
Branch:         
Changes by:     Sylvain Beucler <address@hidden>        04/10/28 21:31:58

Modified files:
        docs/hacking_savannah: hacking_savannah.texi 

Log message:
        added section about generating Apache SSL certificates

CVSWeb URLs:
http://savannah.gnu.org/cgi-bin/viewcvs/administration/administration/docs/hacking_savannah/hacking_savannah.texi.diff?tr1=1.60&tr2=1.61&r1=text&r2=text

Patches:
Index: administration/docs/hacking_savannah/hacking_savannah.texi
diff -u administration/docs/hacking_savannah/hacking_savannah.texi:1.60 
administration/docs/hacking_savannah/hacking_savannah.texi:1.61
--- administration/docs/hacking_savannah/hacking_savannah.texi:1.60     Wed Oct 
27 00:04:54 2004
+++ administration/docs/hacking_savannah/hacking_savannah.texi  Thu Oct 28 
21:31:58 2004
@@ -1,5 +1,5 @@
 \input texinfo   @c -*-texinfo-*-
address@hidden $Id: hacking_savannah.texi,v 1.60 2004/10/27 00:04:54 Beuc Exp $
address@hidden $Id: hacking_savannah.texi,v 1.61 2004/10/28 21:31:58 Beuc Exp $
 @comment %**start of header
 @setfilename hacking_savannah.info
 @include version.texi
@@ -481,7 +481,70 @@
 @url{http://tldp.org/HOWTO/SSL-RedHat-HOWTO.html}
 @end itemize
 
-At Savannah, we [to be continued]
+At Savannah, we use a root (or auto-signed) certificate to sign all
+our certificate. I noticed that Gna! uses one autosigned certificate
+per website.
+
+Here is how to generate some new keys. We will use the default
address@hidden/etc/ssl/openssl.cnf} configuration file, that wants to use a
address@hidden/} directory as a repository.
+
address@hidden
+# Create the directory structure
+$ mkdir demoCA
+$ cd demoCA
+$ mkdir newcerts
+$ mkdir private
+$ echo "01" > serial
+
+# Create the root certificate
+$ cd ..
+$ openssl req -new -x509 -keyout demoCA/private/cakey.pem \
+  -out demoCA/cacert.pem
address@hidden
+Country Name (2 letter code) [AU]:US
+State or Province Name (full name) [Some-State]:MA
+Locality Name (eg, city) []:Boston
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:FSF
+Organizational Unit Name (eg, section) []:Certificate Authority
+Common Name (eg, YOUR name) []:FSF
+Email Address []:savannah-hackers@@gnu.org
+
+# Generate savannah.gnu.org certificate
+$ openssl req -new -keyout savannah_gnu_pass.key -out savannah_gnu.csr
+Country Name (2 letter code) [AU]:US
+State or Province Name (full name) [Some-State]:MA
+Locality Name (eg, city) []:Boston
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:FSF
+Organizational Unit Name (eg, section) []:Webserver Team
+Common Name (eg, YOUR name) []:savannah.gnu.org
+Email Address []:savannah-hackers@@gnu.org
+
+Please enter the following 'extra' attributes
+to be sent with your certificate request
+A challenge password []:
+An optional company name []:
+$ openssl ca -in savannah_gnu.csr -out savannah_gnu.crt
+
+# Generate savannah.gnu.org certificate - same as savannah_gnu, but
+# with CN=savannah.nongnu.org
+$ openssl req -new -keyout savannah_nongnu_pass.key -out savannah_nongnu.csr
+$ openssl ca -in savannah_nongnu.csr -out savannah_nongnu.crt
+
+# Create passphrase-less keys for use in Apache (no need to type the
+# passphrase on Apache startup)
+$ openssl rsq -in savannah_gnu_pass.key -out savannah_gnu.key
+$ openssl rsq -in savannah_nongnu_pass.key -out savannah_nongnu.key
+
+# Make sure nobody can read the private keys
+$ chmod 600 *.key demoCA/private/*
+
+# Time to copy everything in apache
+$ cp -a demoCA/private/cakey.pem /etc/apache/ssl.key/ca.key
+$ cp demoCA/private/cacert.pem /etc/apache/ssl.crt/ca.crt
+$ cp -a *.key /etc/apache/ssl.key
+$ cp *.crt /etc/apache/ssl.crt
address@hidden example
 
 Last, grab @file{/etc/apache/httpd.conf} from savannah.gnu.org as well
 as included @file{vhosts-gnu.org} and @file{vhosts-nongnu.org}, and