[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-cvs] administration/docs/hacking_savannah hacking_sa...

From: Sylvain Beucler
Subject: [Savannah-cvs] administration/docs/hacking_savannah hacking_sa...
Date: Thu, 28 Oct 2004 17:37:39 -0400

CVSROOT:        /cvsroot/administration
Module name:    administration
Changes by:     Sylvain Beucler <address@hidden>        04/10/28 21:31:58

Modified files:
        docs/hacking_savannah: hacking_savannah.texi 

Log message:
        added section about generating Apache SSL certificates


Index: administration/docs/hacking_savannah/hacking_savannah.texi
diff -u administration/docs/hacking_savannah/hacking_savannah.texi:1.60 
--- administration/docs/hacking_savannah/hacking_savannah.texi:1.60     Wed Oct 
27 00:04:54 2004
+++ administration/docs/hacking_savannah/hacking_savannah.texi  Thu Oct 28 
21:31:58 2004
@@ -1,5 +1,5 @@
 \input texinfo   @c -*-texinfo-*-
address@hidden $Id: hacking_savannah.texi,v 1.60 2004/10/27 00:04:54 Beuc Exp $
address@hidden $Id: hacking_savannah.texi,v 1.61 2004/10/28 21:31:58 Beuc Exp $
 @comment %**start of header
 @include version.texi
@@ -481,7 +481,70 @@
 @end itemize
-At Savannah, we [to be continued]
+At Savannah, we use a root (or auto-signed) certificate to sign all
+our certificate. I noticed that Gna! uses one autosigned certificate
+per website.
+Here is how to generate some new keys. We will use the default
address@hidden/etc/ssl/openssl.cnf} configuration file, that wants to use a
address@hidden/} directory as a repository.
+# Create the directory structure
+$ mkdir demoCA
+$ cd demoCA
+$ mkdir newcerts
+$ mkdir private
+$ echo "01" > serial
+# Create the root certificate
+$ cd ..
+$ openssl req -new -x509 -keyout demoCA/private/cakey.pem \
+  -out demoCA/cacert.pem
+Country Name (2 letter code) [AU]:US
+State or Province Name (full name) [Some-State]:MA
+Locality Name (eg, city) []:Boston
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:FSF
+Organizational Unit Name (eg, section) []:Certificate Authority
+Common Name (eg, YOUR name) []:FSF
+Email Address []
+# Generate certificate
+$ openssl req -new -keyout savannah_gnu_pass.key -out savannah_gnu.csr
+Country Name (2 letter code) [AU]:US
+State or Province Name (full name) [Some-State]:MA
+Locality Name (eg, city) []:Boston
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:FSF
+Organizational Unit Name (eg, section) []:Webserver Team
+Common Name (eg, YOUR name) []
+Email Address []
+Please enter the following 'extra' attributes
+to be sent with your certificate request
+A challenge password []:
+An optional company name []:
+$ openssl ca -in savannah_gnu.csr -out savannah_gnu.crt
+# Generate certificate - same as savannah_gnu, but
+# with
+$ openssl req -new -keyout savannah_nongnu_pass.key -out savannah_nongnu.csr
+$ openssl ca -in savannah_nongnu.csr -out savannah_nongnu.crt
+# Create passphrase-less keys for use in Apache (no need to type the
+# passphrase on Apache startup)
+$ openssl rsq -in savannah_gnu_pass.key -out savannah_gnu.key
+$ openssl rsq -in savannah_nongnu_pass.key -out savannah_nongnu.key
+# Make sure nobody can read the private keys
+$ chmod 600 *.key demoCA/private/*
+# Time to copy everything in apache
+$ cp -a demoCA/private/cakey.pem /etc/apache/ssl.key/ca.key
+$ cp demoCA/private/cacert.pem /etc/apache/ssl.crt/ca.crt
+$ cp -a *.key /etc/apache/ssl.key
+$ cp *.crt /etc/apache/ssl.crt
address@hidden example
 Last, grab @file{/etc/apache/httpd.conf} from as well
 as included @file{} and @file{}, and

reply via email to

[Prev in Thread] Current Thread [Next in Thread]