Difference between revisions of "SUNScholar/Secure Internet Connections/S01"
Jump to navigation
Jump to search
(Created page with "<center> '''Back to Secure Communications''' </center>") |
|||
| (6 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
<center> | <center> | ||
| − | '''[[SUNScholar/ | + | '''[[SUNScholar/Secure_Internet_Connections/S02|NEXT]]''' |
| + | |||
| + | '''[[SUNScholar/Secure_Internet_Connections|PREVIOUS]]''' | ||
</center> | </center> | ||
| + | ==Step 1. Create the SSL certificates== | ||
| + | Login to the server: | ||
| + | http://wiki.lib.sun.ac.za/index.php/SUNScholar/Prepare_Ubuntu/S01 | ||
| + | Become root as follows: | ||
| + | sudo -i | ||
| + | Make the scripts folder: | ||
| + | mkdir /root/scripts | ||
| + | ===Strong Encryption (Browser support varies) - Create DSA with SHA 256 certificate request=== | ||
| + | Open the script file: | ||
| + | nano /root/scripts/make-cert-dsa | ||
| + | Then copy and paste the following into the nano editor. ''Please read the config notes below carefully.'' | ||
| + | <pre> | ||
| + | #! /bin/bash | ||
| + | |||
| + | # Check for SSL binaries | ||
| + | test -x /usr/bin/openssl || apt-get install openssl | ||
| + | |||
| + | # Setup certificate variables | ||
| + | HOST="XXXXXXXXXXXXXXX" | ||
| + | EMAIL="XXXXXXXXXXXXXX" | ||
| + | BITS="2048" | ||
| + | DAYS="365" | ||
| + | |||
| + | # Set certs path | ||
| + | CERTS="/etc/ssl/certs/" | ||
| + | |||
| + | # Define the config file to be used to create certs | ||
| + | # Fill in your own values for "ST", "L", "O" and "OU" | ||
| + | CONF="\n | ||
| + | [ req ] \n | ||
| + | default_bits = $BITS \n | ||
| + | encrypt_key = yes \n | ||
| + | distinguished_name = req_dn \n | ||
| + | x509_extensions = cert_type \n | ||
| + | prompt = no \n | ||
| + | [ req_dn ] \n | ||
| + | C=ZA \n | ||
| + | ST=WP \n | ||
| + | L=Stellenbosch \n | ||
| + | O=Universiteit Stellenbosch \n | ||
| + | OU=JS Gericke Library \n | ||
| + | CN=$HOST \n | ||
| + | emailAddress=$EMAIL \n | ||
| + | [ cert_type ] \n | ||
| + | nsCertType = server \n | ||
| + | " | ||
| + | |||
| + | echo -e $CONF > $HOST.cnf | ||
| + | sleep 3 | ||
| + | |||
| + | # Build path for certificate creation | ||
| + | CPATH="$CERTS$HOST" | ||
| + | |||
| + | # Create a new key | ||
| + | openssl dsaparam -noout -out $CPATH.key -genkey $BITS | ||
| + | |||
| + | # Create the new certificate | ||
| + | openssl req -new -sha256 -x509 -days $DAYS -nodes -config $HOST.cnf -key $CPATH.key -out $CPATH.crt | ||
| + | |||
| + | # Create a new certficate request | ||
| + | openssl req -new -sha256 -key $CPATH.key -config $HOST.cnf > $CPATH.csr | ||
| + | |||
| + | # Create a "pem" file suitable for Apache2 | ||
| + | cat $CPATH.key $CPATH.crt > $CPATH.pem | ||
| + | |||
| + | # Clean up | ||
| + | rm -f $HOST.rand | ||
| + | </pre> | ||
| + | |||
| + | ===Weak Encryption (Browser support good) - Create RSA with SHA256 certificate request=== | ||
| + | Open the script file: | ||
| + | nano /root/scripts/make-cert-rsa | ||
| + | Then copy and paste the following into the nano editor. ''Please read the config notes below carefully.'' | ||
| + | <pre> | ||
| + | #! /bin/bash | ||
| + | |||
| + | # Check for SSL binaries | ||
| + | test -x /usr/bin/openssl || apt-get install openssl | ||
| + | |||
| + | # Setup certificate variables | ||
| + | HOST="XXXXXXXXXXXXXXXX" | ||
| + | EMAIL="XXXXXXXXXXXXXXX" | ||
| + | |||
| + | # Set certs path | ||
| + | CERTS="/etc/ssl/certs/" | ||
| + | |||
| + | # Define the config file to be used to create certs | ||
| + | # Fill in your own values for "ST", "L", "O" and "OU" | ||
| + | CONF="\n | ||
| + | [ req ] \n | ||
| + | default_bits = 2048 \n | ||
| + | encrypt_key = yes \n | ||
| + | distinguished_name = req_dn \n | ||
| + | x509_extensions = cert_type \n | ||
| + | prompt = no \n | ||
| + | [ req_dn ] \n | ||
| + | C=ZA \n | ||
| + | ST=WP \n | ||
| + | L=Stellenbosch \n | ||
| + | O=Universiteit Stellenbosch \n | ||
| + | OU=JS Gericke Library \n | ||
| + | CN=$HOST \n | ||
| + | emailAddress=$EMAIL \n | ||
| + | [ cert_type ] \n | ||
| + | nsCertType = server \n | ||
| + | " | ||
| + | |||
| + | echo -e $CONF > $HOST.cnf | ||
| + | sleep 3 | ||
| + | |||
| + | # Build path for certificate creation | ||
| + | CPATH="$CERTS$HOST" | ||
| + | |||
| + | # Generate the new key and certificate | ||
| + | openssl req -new -sha256 -x509 -days 365 -nodes -config $HOST.cnf -out $CPATH.crt -keyout $CPATH.key | ||
| + | |||
| + | # Create a new certficate request | ||
| + | openssl req -new -sha256 -key $CPATH.key -config $HOST.cnf > $CPATH.csr | ||
| + | |||
| + | # Create a "pem" file suitable for Apache2 | ||
| + | cat $CPATH.key $CPATH.crt > $CPATH.pem | ||
| + | |||
| + | # Clean up | ||
| + | rm -f $HOST.rand | ||
| + | </pre> | ||
| + | |||
| + | ===NOTES: Change the following to suit your organisation:=== | ||
| + | * $HOST - This is the hostname of the server for which you are creating the SSL certificate. | ||
| + | * $EMAIL - This is the system administrator email address. | ||
| + | * C = This is the country, '''ZA''' for South Africa | ||
| + | * ST = This is the state/province, '''WP''' for Western Province | ||
| + | * L = This is the locality/town/city, '''Stellenbosch''' for us | ||
| + | * O = This is the organisation, '''Stellenbosch University''' for us | ||
| + | * OU = This is the organisational unit, '''JSG Library''' for us | ||
| + | |||
| + | ===Make the selected script executeable=== | ||
| + | Now we make the script executeable as follows: | ||
| + | chmod 0755 /root/scripts/make-cert-rsa | ||
| + | '''OR''' | ||
| + | chmod 0755 /root/scripts/make-cert-dsa | ||
| + | Then we execute the script as follows: | ||
| + | /root/scripts/make-cert-rsa | ||
| + | '''OR''' | ||
| + | /root/scripts/make-cert-dsa | ||
| + | [[Category:System Administration]] | ||
Latest revision as of 11:45, 28 May 2016
NEXT
PREVIOUS
Step 1. Create the SSL certificates
Login to the server:
http://wiki.lib.sun.ac.za/index.php/SUNScholar/Prepare_Ubuntu/S01
Become root as follows:
sudo -i
Make the scripts folder:
mkdir /root/scripts
Strong Encryption (Browser support varies) - Create DSA with SHA 256 certificate request
Open the script file:
nano /root/scripts/make-cert-dsa
Then copy and paste the following into the nano editor. Please read the config notes below carefully.
#! /bin/bash # Check for SSL binaries test -x /usr/bin/openssl || apt-get install openssl # Setup certificate variables HOST="XXXXXXXXXXXXXXX" EMAIL="XXXXXXXXXXXXXX" BITS="2048" DAYS="365" # Set certs path CERTS="/etc/ssl/certs/" # Define the config file to be used to create certs # Fill in your own values for "ST", "L", "O" and "OU" CONF="\n [ req ] \n default_bits = $BITS \n encrypt_key = yes \n distinguished_name = req_dn \n x509_extensions = cert_type \n prompt = no \n [ req_dn ] \n C=ZA \n ST=WP \n L=Stellenbosch \n O=Universiteit Stellenbosch \n OU=JS Gericke Library \n CN=$HOST \n emailAddress=$EMAIL \n [ cert_type ] \n nsCertType = server \n " echo -e $CONF > $HOST.cnf sleep 3 # Build path for certificate creation CPATH="$CERTS$HOST" # Create a new key openssl dsaparam -noout -out $CPATH.key -genkey $BITS # Create the new certificate openssl req -new -sha256 -x509 -days $DAYS -nodes -config $HOST.cnf -key $CPATH.key -out $CPATH.crt # Create a new certficate request openssl req -new -sha256 -key $CPATH.key -config $HOST.cnf > $CPATH.csr # Create a "pem" file suitable for Apache2 cat $CPATH.key $CPATH.crt > $CPATH.pem # Clean up rm -f $HOST.rand
Weak Encryption (Browser support good) - Create RSA with SHA256 certificate request
Open the script file:
nano /root/scripts/make-cert-rsa
Then copy and paste the following into the nano editor. Please read the config notes below carefully.
#! /bin/bash # Check for SSL binaries test -x /usr/bin/openssl || apt-get install openssl # Setup certificate variables HOST="XXXXXXXXXXXXXXXX" EMAIL="XXXXXXXXXXXXXXX" # Set certs path CERTS="/etc/ssl/certs/" # Define the config file to be used to create certs # Fill in your own values for "ST", "L", "O" and "OU" CONF="\n [ req ] \n default_bits = 2048 \n encrypt_key = yes \n distinguished_name = req_dn \n x509_extensions = cert_type \n prompt = no \n [ req_dn ] \n C=ZA \n ST=WP \n L=Stellenbosch \n O=Universiteit Stellenbosch \n OU=JS Gericke Library \n CN=$HOST \n emailAddress=$EMAIL \n [ cert_type ] \n nsCertType = server \n " echo -e $CONF > $HOST.cnf sleep 3 # Build path for certificate creation CPATH="$CERTS$HOST" # Generate the new key and certificate openssl req -new -sha256 -x509 -days 365 -nodes -config $HOST.cnf -out $CPATH.crt -keyout $CPATH.key # Create a new certficate request openssl req -new -sha256 -key $CPATH.key -config $HOST.cnf > $CPATH.csr # Create a "pem" file suitable for Apache2 cat $CPATH.key $CPATH.crt > $CPATH.pem # Clean up rm -f $HOST.rand
NOTES: Change the following to suit your organisation:
- $HOST - This is the hostname of the server for which you are creating the SSL certificate.
- $EMAIL - This is the system administrator email address.
- C = This is the country, ZA for South Africa
- ST = This is the state/province, WP for Western Province
- L = This is the locality/town/city, Stellenbosch for us
- O = This is the organisation, Stellenbosch University for us
- OU = This is the organisational unit, JSG Library for us
Make the selected script executeable
Now we make the script executeable as follows:
chmod 0755 /root/scripts/make-cert-rsa
OR
chmod 0755 /root/scripts/make-cert-dsa
Then we execute the script as follows:
/root/scripts/make-cert-rsa
OR
/root/scripts/make-cert-dsa
