SUNScholar/Secure Internet Connections/S01

From Libopedia
Jump to navigation Jump to search
NEXT
PREVIOUS

Step 1. Create the SSL certificates

Login to the server:

http://wiki.lib.sun.ac.za/index.php/SUNScholar/Prepare_Ubuntu/S01

Become root as follows:

sudo -i

Make the scripts folder:

mkdir /root/scripts

Strong Encryption (Browser support varies) - Create DSA with SHA 256 certificate request

Open the script file:

nano /root/scripts/make-cert-dsa

Then copy and paste the following into the nano editor. Please read the config notes below carefully.

#! /bin/bash

# Check for SSL binaries
test -x /usr/bin/openssl || apt-get install openssl

# Setup certificate variables
HOST="XXXXXXXXXXXXXXX"
EMAIL="XXXXXXXXXXXXXX"
BITS="2048"
DAYS="365"

# Set certs path
CERTS="/etc/ssl/certs/"

# Define the config file to be used to create certs
# Fill in your own values for "ST", "L", "O" and "OU"
CONF="\n
[ req ] \n
default_bits = $BITS \n
encrypt_key = yes \n
distinguished_name = req_dn \n
x509_extensions = cert_type \n
prompt = no \n
[ req_dn ] \n
C=ZA \n
ST=WP \n
L=Stellenbosch \n
O=Universiteit Stellenbosch \n
OU=JS Gericke Library \n
CN=$HOST \n
emailAddress=$EMAIL \n
[ cert_type ] \n
nsCertType = server \n
"

echo -e $CONF > $HOST.cnf
sleep 3

# Build path for certificate creation
CPATH="$CERTS$HOST"

# Create a new key
openssl dsaparam -noout -out $CPATH.key -genkey $BITS

# Create the new certificate
openssl req -new -sha256 -x509 -days $DAYS -nodes -config $HOST.cnf -key $CPATH.key -out $CPATH.crt

# Create a new certficate request
openssl req -new -sha256 -key $CPATH.key -config $HOST.cnf > $CPATH.csr

# Create a "pem" file suitable for Apache2
cat $CPATH.key $CPATH.crt > $CPATH.pem

# Clean up
rm -f $HOST.rand

Weak Encryption (Browser support good) - Create RSA with SHA256 certificate request

Open the script file:

nano /root/scripts/make-cert-rsa

Then copy and paste the following into the nano editor. Please read the config notes below carefully.

#! /bin/bash

# Check for SSL binaries
test -x /usr/bin/openssl || apt-get install openssl

# Setup certificate variables
HOST="XXXXXXXXXXXXXXXX"
EMAIL="XXXXXXXXXXXXXXX"

# Set certs path
CERTS="/etc/ssl/certs/"

# Define the config file to be used to create certs
# Fill in your own values for "ST", "L", "O" and "OU"
CONF="\n
[ req ] \n
default_bits = 2048 \n
encrypt_key = yes \n
distinguished_name = req_dn \n
x509_extensions = cert_type \n
prompt = no \n
[ req_dn ] \n
C=ZA \n
ST=WP \n
L=Stellenbosch \n
O=Universiteit Stellenbosch \n
OU=JS Gericke Library \n
CN=$HOST \n
emailAddress=$EMAIL \n
[ cert_type ] \n
nsCertType = server \n
"

echo -e $CONF > $HOST.cnf
sleep 3

# Build path for certificate creation
CPATH="$CERTS$HOST"

# Generate the new key and certificate
openssl req -new -sha256 -x509 -days 365 -nodes -config $HOST.cnf -out $CPATH.crt -keyout $CPATH.key

# Create a new certficate request
openssl req -new -sha256 -key $CPATH.key -config $HOST.cnf > $CPATH.csr

# Create a "pem" file suitable for Apache2
cat $CPATH.key $CPATH.crt > $CPATH.pem

# Clean up
rm -f $HOST.rand

NOTES: Change the following to suit your organisation:

  • $HOST - This is the hostname of the server for which you are creating the SSL certificate.
  • $EMAIL - This is the system administrator email address.
  • C = This is the country, ZA for South Africa
  • ST = This is the state/province, WP for Western Province
  • L = This is the locality/town/city, Stellenbosch for us
  • O = This is the organisation, Stellenbosch University for us
  • OU = This is the organisational unit, JSG Library for us

Make the selected script executeable

Now we make the script executeable as follows:

chmod 0755 /root/scripts/make-cert-rsa

OR

chmod 0755 /root/scripts/make-cert-dsa

Then we execute the script as follows:

/root/scripts/make-cert-rsa

OR

/root/scripts/make-cert-dsa