SSL Client Certificate Creation
From Antiflux Wiki
| Line 1: | Line 1: | ||
| - | To | + | To obtain a client certificate signed by the Antiflux CA: |
<ol> | <ol> | ||
| - | <li> | + | <li>Create a directory in which to store your key and certificate: |
| - | <p><code> | + | <p><code>mkdir $HOME/.ssl ; cd $HOME/.ssl</code></p> |
</li> | </li> | ||
| + | |||
| + | <li>Generate a key (where user is your username): | ||
| + | <p><code>openssl genrsa -out $HOME/.ssl/user.key 1024</code></p> | ||
| + | </li> | ||
| + | |||
| + | <li>Ensure the key is not readable by other users: | ||
| + | <p><code>chmod 0600 $HOME/.ssl/user.key</code></p> | ||
| + | </li> | ||
| + | |||
<li>Generate a certificate signing request (CSR): | <li>Generate a certificate signing request (CSR): | ||
| - | <p><code>openssl req -new -key / | + | <p><code>openssl req -new -key $HOME/.ssl/user.key -out $HOME/.ssl/user.csr</code></p> |
</li> | </li> | ||
| + | |||
| + | <li>E-mail the CSR ('''NOT''' the key) to root: | ||
| + | <p><code>mail root@antiflux.org < $HOME/.ssl/user.csr</code></p> | ||
| + | </li> | ||
| + | |||
| + | </ol> | ||
| + | |||
| + | The following steps are for administrators only: | ||
| + | |||
| + | <ol> | ||
| + | <li>Export the CSR to a file called user.csr in /etc/ssl/antiflux</li> | ||
<li>Sign the CSR: | <li>Sign the CSR: | ||
| Line 20: | Line 40: | ||
<p><code>cd /etc/ssl/client ; openssl pkcs12 -export -clcerts -in user.crt -inkey user.key -out user.p12</code></p> | <p><code>cd /etc/ssl/client ; openssl pkcs12 -export -clcerts -in user.crt -inkey user.key -out user.p12</code></p> | ||
</li> | </li> | ||
| + | |||
| + | <li>Send the certificate and PKCS#12 files to the user.</li> | ||
</ol> | </ol> | ||
| - | The PKCS#12 file (user.p12) can then be imported into most browsers and IMAP clients. The key (user.key) and certificate (user.crt) | + | The PKCS#12 file (user.p12) can then be imported into most browsers and IMAP clients. The key (user.key) and certificate (user.crt) should be stored in the user's home directory ($HOME/.ssl, for example). The certificate file can be world readable, but the key should only readable by the user. |
Note: "make sign" will delete the CSR, so make a copy ahead of time if you're going to want it later. | Note: "make sign" will delete the CSR, so make a copy ahead of time if you're going to want it later. | ||
Current revision
To obtain a client certificate signed by the Antiflux CA:
- Create a directory in which to store your key and certificate:
mkdir $HOME/.ssl ; cd $HOME/.ssl - Generate a key (where user is your username):
openssl genrsa -out $HOME/.ssl/user.key 1024 - Ensure the key is not readable by other users:
chmod 0600 $HOME/.ssl/user.key - Generate a certificate signing request (CSR):
openssl req -new -key $HOME/.ssl/user.key -out $HOME/.ssl/user.csr - E-mail the CSR (NOT the key) to root:
mail root@antiflux.org < $HOME/.ssl/user.csr
The following steps are for administrators only:
- Export the CSR to a file called user.csr in /etc/ssl/antiflux
- Sign the CSR:
cd /etc/ssl/antiflux ; make sign - Move the certificate to the client certificates directory:
mv /etc/ssl/antiflux/user.cert /etc/ssl/private/user.crt - Create a PKCS#12 file:
cd /etc/ssl/client ; openssl pkcs12 -export -clcerts -in user.crt -inkey user.key -out user.p12 - Send the certificate and PKCS#12 files to the user.
The PKCS#12 file (user.p12) can then be imported into most browsers and IMAP clients. The key (user.key) and certificate (user.crt) should be stored in the user's home directory ($HOME/.ssl, for example). The certificate file can be world readable, but the key should only readable by the user.
Note: "make sign" will delete the CSR, so make a copy ahead of time if you're going to want it later.
