Evan at 21:38, 15 May 2006

Evan — Mon, 15 May 2006 21:38:40 GMT

←Older revision		Revision as of 21:38, 15 May 2006
Line 1:		Line 1:
-	To ~~generate~~ a client certificate ~~for "user"~~ signed ~~with our~~ CA ~~key~~:	+	To obtain a client certificate signed by the Antiflux CA:

	<ol>		<ol>
-	<li>~~Generate~~ a key:	+	<li>Create a directory in which to store your key and certificate:
-	<p><code>~~openssl genrsa -out /etc~~/ssl/~~client/user~~.~~key 1024~~</code></p>	+	<p><code>mkdir $HOME/.ssl ; cd $HOME/.ssl</code></p>
	</li>		</li>
		+
		+	<li>Generate a key (where user is your username):
		+	<p><code>openssl genrsa -out $HOME/.ssl/user.key 1024</code></p>
		+	</li>
		+
		+	<li>Ensure the key is not readable by other users:
		+	<p><code>chmod 0600 $HOME/.ssl/user.key</code></p>
		+	</li>
		+
	<li>Generate a certificate signing request (CSR):		<li>Generate a certificate signing request (CSR):
-	<p><code>openssl req -new -key /~~etc/~~ssl~~/client~~/user.key -out /~~etc/~~ssl~~/antiflux~~/user.csr</code></p>	+	<p><code>openssl req -new -key $HOME/.ssl/user.key -out $HOME/.ssl/user.csr</code></p>
	</li>		</li>
		+
		+	<li>E-mail the CSR ('''NOT''' the key) to root:
		+	<p><code>mail root@antiflux.org < $HOME/.ssl/user.csr</code></p>
		+	</li>
		+
		+	</ol>
		+
		+	The following steps are for administrators only:
		+
		+	<ol>
		+	<li>Export the CSR to a file called user.csr in /etc/ssl/antiflux</li>

	<li>Sign the CSR:		<li>Sign the CSR:
Line 20:		Line 40:
	<p><code>cd /etc/ssl/client ; openssl pkcs12 -export -clcerts -in user.crt -inkey user.key -out user.p12</code></p>		<p><code>cd /etc/ssl/client ; openssl pkcs12 -export -clcerts -in user.crt -inkey user.key -out user.p12</code></p>
	</li>		</li>
		+
		+	<li>Send the certificate and PKCS#12 files to the user.</li>

	</ol>		</ol>

-	The PKCS#12 file (user.p12) can then be imported into most browsers and IMAP clients. The key (user.key) and certificate (user.crt) ~~can~~ be stored in the user's home directory ($HOME/.ssl, for example). The certificate file can be world readable, but the key should only readable by the user.	+	The PKCS#12 file (user.p12) can then be imported into most browsers and IMAP clients. The key (user.key) and certificate (user.crt) should be stored in the user's home directory ($HOME/.ssl, for example). The certificate file can be world readable, but the key should only readable by the user.

	Note: "make sign" will delete the CSR, so make a copy ahead of time if you're going to want it later.		Note: "make sign" will delete the CSR, so make a copy ahead of time if you're going to want it later.

Evan at 21:11, 15 May 2006

Evan — Mon, 15 May 2006 21:11:55 GMT

New page

To generate a client certificate for "user" signed with our CA key:

<ol>
<li>Generate a key:
<code>openssl genrsa -out /etc/ssl/client/user.key 1024</code>
</li>
<li>Generate a certificate signing request (CSR):
<code>openssl req -new -key /etc/ssl/client/user.key -out /etc/ssl/antiflux/user.csr</code>
</li>

<li>Sign the CSR:
<code>cd /etc/ssl/antiflux ; make sign</code>
</li>

<li>Move the certificate to the client certificates directory:
<code>mv /etc/ssl/antiflux/user.cert /etc/ssl/private/user.crt</code>
</li>

<li>Create a PKCS#12 file:
<code>cd /etc/ssl/client ; openssl pkcs12 -export -clcerts -in user.crt -inkey user.key -out user.p12</code>
</li>

</ol>

The PKCS#12 file (user.p12) can then be imported into most browsers and IMAP clients. The key (user.key) and certificate (user.crt) can be stored in the user's home directory ($HOME/.ssl, for example). The certificate file can be world readable, but the key should only readable by the user.

Note: "make sign" will delete the CSR, so make a copy ahead of time if you're going to want it later.

SSL Client Certificate Creation - Revision history

Evan at 21:38, 15 May 2006

Evan at 21:11, 15 May 2006