|Email article link|
Apache Recipe of the Day
The following recipe is from Apache Cookbook, by Ken Coar and Rich Bowen. All links in this recipe point to the online version of the book on the Safari Bookshelf.
7.3. Generating a Trusted CA
Issue the following commands:
% CA.pl -newca % CA.pl -newreq % CA.pl -signreq % CA.pl -pkcs12
Recipe 7.2 discusses the lengthy steps that are required to create keys and sign them. Fortunately, OpenSSL comes with a script to automate much of this process, so that you don't have to remember all of those arguments. This script, called CA.pl, is located where your SSL libraries are installed, for example, /usr/share/ssl/misc/CA.pl.
The lines in the Solution hide a certain amount of detail, as you will be asked a number of questions in the process of creating the key and the certificate. Note also that you will probably need to be in the directory where this script lives to get successful results from this recipe.
If you want to omit the passphrase on the certificate so that you don't have to provide the passphrase each time you start up the server, use -newreq-nodes rather than -newreq when generating the certificate request.
After running this sequence of commands, you can generate more certificates by repeating the -newreq and -signreq commands.
Having run these commands, you will have generated a number of files. The file newcert.pem is the file you specify in your SSLCertificateFile directive, the file newreq.pem is your SSLCertificateKeyFile, and the file demoCA/cacert.pem is the CA certificate file, which will need to be imported into your users' browsers (for some browsers) so that they can automatically trust certificates signed by this CA. And, finally, newcert.p12 serves the same purpose as demoCA/cacert.pem for certain other browsers.
Importing the CA
If your users are using Internet Explorer, you need to create a special file for them to import. Use the following command:
openssl X509 -demoCA/cacert.pem -out cacert.crt -outform DER
Then you can send them the cacert.crt file.
Clicking on that file will launch the SSL certificate wizard and guide the user through installing the CA certificate into their browser.
Other browsers, such as Mozilla, expect to directly import the cacert.pem file. Users will navigate through their menus (Edit xxxrarrxxx Preferences xxxrarrxxx Privacy and Security xxxrarrxxx Certificates), then click on Manage Certificates, then on the Authorities tab, and finally on Import, to select the certificate file.
. See Also
The manpage for the CA.pl script
CA.pl documentation at http://www.openssl.org/docs/apps/CA.pl.html