SUNScholar/Secure Internet Connections/S01
Jump to navigation
Jump to search
NEXT
PREVIOUS
Step 1. Create the SSL certificates
Login to the server:
http://wiki.lib.sun.ac.za/index.php/SUNScholar/Prepare_Ubuntu/S01
Become root as follows:
sudo -i
Make the scripts folder:
mkdir /root/scripts
Strong Encryption (Browser support varies) - Create DSA with SHA 256 certificate request
Open the script file:
nano /root/scripts/make-cert-dsa
Then copy and paste the following into the nano editor. Please read the config notes below carefully.
#! /bin/bash # Check for SSL binaries test -x /usr/bin/openssl || apt-get install openssl # Setup certificate variables HOST="XXXXXXXXXXXXXXX" EMAIL="XXXXXXXXXXXXXX" BITS="2048" DAYS="365" # Set certs path CERTS="/etc/ssl/certs/" # Define the config file to be used to create certs # Fill in your own values for "ST", "L", "O" and "OU" CONF="\n [ req ] \n default_bits = $BITS \n encrypt_key = yes \n distinguished_name = req_dn \n x509_extensions = cert_type \n prompt = no \n [ req_dn ] \n C=ZA \n ST=WP \n L=Stellenbosch \n O=Universiteit Stellenbosch \n OU=JS Gericke Library \n CN=$HOST \n emailAddress=$EMAIL \n [ cert_type ] \n nsCertType = server \n " echo -e $CONF > $HOST.cnf sleep 3 # Build path for certificate creation CPATH="$CERTS$HOST" # Create a new key openssl dsaparam -noout -out $CPATH.key -genkey $BITS # Create the new certificate openssl req -new -sha256 -x509 -days $DAYS -nodes -config $HOST.cnf -key $CPATH.key -out $CPATH.crt # Create a new certficate request openssl req -new -sha256 -key $CPATH.key -config $HOST.cnf > $CPATH.csr # Create a "pem" file suitable for Apache2 cat $CPATH.key $CPATH.crt > $CPATH.pem # Clean up rm -f $HOST.rand
Weak Encryption (Browser support good) - Create RSA with SHA256 certificate request
Open the script file:
nano /root/scripts/make-cert-rsa
Then copy and paste the following into the nano editor. Please read the config notes below carefully.
#! /bin/bash # Check for SSL binaries test -x /usr/bin/openssl || apt-get install openssl # Setup certificate variables HOST="XXXXXXXXXXXXXXXX" EMAIL="XXXXXXXXXXXXXXX" # Set certs path CERTS="/etc/ssl/certs/" # Define the config file to be used to create certs # Fill in your own values for "ST", "L", "O" and "OU" CONF="\n [ req ] \n default_bits = 2048 \n encrypt_key = yes \n distinguished_name = req_dn \n x509_extensions = cert_type \n prompt = no \n [ req_dn ] \n C=ZA \n ST=WP \n L=Stellenbosch \n O=Universiteit Stellenbosch \n OU=JS Gericke Library \n CN=$HOST \n emailAddress=$EMAIL \n [ cert_type ] \n nsCertType = server \n " echo -e $CONF > $HOST.cnf sleep 3 # Build path for certificate creation CPATH="$CERTS$HOST" # Generate the new key and certificate openssl req -new -sha256 -x509 -days 365 -nodes -config $HOST.cnf -out $CPATH.crt -keyout $CPATH.key # Create a new certficate request openssl req -new -sha256 -key $CPATH.key -config $HOST.cnf > $CPATH.csr # Create a "pem" file suitable for Apache2 cat $CPATH.key $CPATH.crt > $CPATH.pem # Clean up rm -f $HOST.rand
NOTES: Change the following to suit your organisation:
- $HOST - This is the hostname of the server for which you are creating the SSL certificate.
- $EMAIL - This is the system administrator email address.
- C = This is the country, ZA for South Africa
- ST = This is the state/province, WP for Western Province
- L = This is the locality/town/city, Stellenbosch for us
- O = This is the organisation, Stellenbosch University for us
- OU = This is the organisational unit, JSG Library for us
Make the selected script executeable
Now we make the script executeable as follows:
chmod 0755 /root/scripts/make-cert-rsa
OR
chmod 0755 /root/scripts/make-cert-dsa
Then we execute the script as follows:
/root/scripts/make-cert-rsa
OR
/root/scripts/make-cert-dsa
