SUNScholar/Secure Internet Connections/S01

NEXT

PREVIOUS

Step 1. Create the SSL certificates
Login to the server: http://wiki.lib.sun.ac.za/index.php/SUNScholar/Prepare_Ubuntu/S01 Become root as follows: sudo -i Make the scripts folder: mkdir /root/scripts

Strong Encryption (Browser support varies) - Create DSA with SHA 256 certificate request
Open the script file: nano /root/scripts/make-cert-dsa Then copy and paste the following into the nano editor. Please read the config notes below carefully.
 * 1) ! /bin/bash

test -x /usr/bin/openssl || apt-get install openssl
 * 1) Check for SSL binaries

HOST="XXXXXXXXXXXXXXX" EMAIL="XXXXXXXXXXXXXX" BITS="2048" DAYS="365"
 * 1) Setup certificate variables

CERTS="/etc/ssl/certs/"
 * 1) Set certs path

CONF="\n [ req ] \n default_bits = $BITS \n encrypt_key = yes \n distinguished_name = req_dn \n x509_extensions = cert_type \n prompt = no \n [ req_dn ] \n C=ZA \n ST=WP \n L=Stellenbosch \n O=Universiteit Stellenbosch \n OU=JS Gericke Library \n CN=$HOST \n emailAddress=$EMAIL \n [ cert_type ] \n nsCertType = server \n "
 * 1) Define the config file to be used to create certs
 * 2) Fill in your own values for "ST", "L", "O" and "OU"

echo -e $CONF > $HOST.cnf sleep 3

CPATH="$CERTS$HOST"
 * 1) Build path for certificate creation

openssl dsaparam -noout -out $CPATH.key -genkey $BITS
 * 1) Create a new key

openssl req -new -sha256 -x509 -days $DAYS -nodes -config $HOST.cnf -key $CPATH.key -out $CPATH.crt
 * 1) Create the new certificate

openssl req -new -sha256 -key $CPATH.key -config $HOST.cnf > $CPATH.csr
 * 1) Create a new certficate request

cat $CPATH.key $CPATH.crt > $CPATH.pem
 * 1) Create a "pem" file suitable for Apache2

rm -f $HOST.rand
 * 1) Clean up

Weak Encryption (Browser support good) - Create RSA with SHA256 certificate request
Open the script file: nano /root/scripts/make-cert-rsa Then copy and paste the following into the nano editor. Please read the config notes below carefully.
 * 1) ! /bin/bash

test -x /usr/bin/openssl || apt-get install openssl
 * 1) Check for SSL binaries

HOST="XXXXXXXXXXXXXXXX" EMAIL="XXXXXXXXXXXXXXX"
 * 1) Setup certificate variables

CERTS="/etc/ssl/certs/"
 * 1) Set certs path

CONF="\n [ req ] \n default_bits = 2048 \n encrypt_key = yes \n distinguished_name = req_dn \n x509_extensions = cert_type \n prompt = no \n [ req_dn ] \n C=ZA \n ST=WP \n L=Stellenbosch \n O=Universiteit Stellenbosch \n OU=JS Gericke Library \n CN=$HOST \n emailAddress=$EMAIL \n [ cert_type ] \n nsCertType = server \n "
 * 1) Define the config file to be used to create certs
 * 2) Fill in your own values for "ST", "L", "O" and "OU"

echo -e $CONF > $HOST.cnf sleep 3

CPATH="$CERTS$HOST"
 * 1) Build path for certificate creation

openssl req -new -sha256 -x509 -days 365 -nodes -config $HOST.cnf -out $CPATH.crt -keyout $CPATH.key
 * 1) Generate the new key and certificate

openssl req -new -sha256 -key $CPATH.key -config $HOST.cnf > $CPATH.csr
 * 1) Create a new certficate request

cat $CPATH.key $CPATH.crt > $CPATH.pem
 * 1) Create a "pem" file suitable for Apache2

rm -f $HOST.rand
 * 1) Clean up

NOTES: Change the following to suit your organisation:

 * $HOST - This is the hostname of the server for which you are creating the SSL certificate.
 * $EMAIL - This is the system administrator email address.
 * C = This is the country, ZA for South Africa
 * ST = This is the state/province, WP for Western Province
 * L = This is the locality/town/city, Stellenbosch for us
 * O = This is the organisation, Stellenbosch University for us
 * OU = This is the organisational unit, JSG Library for us

Make the selected script executeable
Now we make the script executeable as follows: chmod 0755 /root/scripts/make-cert-rsa OR chmod 0755 /root/scripts/make-cert-dsa Then we execute the script as follows: /root/scripts/make-cert-rsa OR /root/scripts/make-cert-dsa