Version 0.05 Thu Apr 8 13:41:12 CEST 1999 BETA!! just to share some ideas... REQUIRES: ---------- - Shell: bash - standard tools: rm, cp, date, touch, basename, dirname, chmod, test, cat - gnu make - perl (for cgi) INSTALL: ---------- Please edit ca.config.sh and template.cnf (and Makefile.tmpl if desired) for your requirements. Then remove the last line from ca.config.sh Then run "install.sh". This script creates directories, Makefile and the OpenSSL-Configuration. The paths and filenames are taken from ca.config.sh. If you specify different path, then it's possible to serve some independed CA's on one host. Then create a CRL with 'make crl'. (touch index.txt to force rebuild) Be carefull with thinks like 'make CA-WIPEOUT'. The Makefile isn't asking you or so - it just removes the files! All the work is done by a (gnu) Makefile. Try 'make help'. Important is 'make newCA' - this creates a self signed ready to use CA-Certificate (if you misstyped during the procedure, just press Interrupt and start again. "make" knows about "depencies", and you can go on at the step it failed). Then you can so 'make server.key' to generate a RSA key. Create a CSR with 'make server.csr', and sign it with 'make server.crt'. (or better do 'make certs/server.key' and so on ;) ) in "cgi/" there are scripts for use with apache/mod_ssl cert-db.cgi: displays index.txt as formated HTML text in order of hierachy (not sorted by SN) to show a simple tree check-rev.cgi: parses index.txt to allow Netscape Navigator to verify a certificate. It must be called as ".../check-rev.cgi?serial". ssl_cgi_config.pl: paths and so on for the scripts ssl_auto_*.cgi: Used to display diffrent Backgrounds in http or https mode. If you have "symetric" ssl / non-ssl urls, you can generalize the most pages Little Sample Session --------------------- Assume we like to set up a own root ca and generate an SSL server certificate: After extracting the tgz it's neccesary to adapt ca-config.sh. At least the following variables should be changed: SSL="/usr/local/bin/openssl" CANAME="Test" #CA directory: CA="/home/steffen/work/${CANAME}-CA" edit template.cnf, especially the section: [ req_distinguished_name ] (at least you'll have to change country name if it's not "DE" :)) Then start ./install.sh. You'll be prompted for an passphrase that protects your CA secret key. Remember that carefully :) The script needs that key for the first certificate, so you'll have to enter the passphrase again. Then you'll be asked about the DN of that CA certificate. For some reasons, this certificate is used to generate a self-signed root certificate (This step is not neccesary it seems, but this installer is an very old one :)). So you need to repeat the same DN informations and of course the passphrase. The resulting certificate is converted to DER and PEM/TXT format (you will need them possibly later, i.e. if you want to install it into Netscape. The download the DER file with the right mimetype for ca cert [see technical knowlegde base for more infos]). Now we can generate a SSL-Serverkey: # make certs/server.key (new passphrase required) Optionally you may generate a clear-text key for use with modssl or similar without be prompted for an phassphrase dureing bootup. Keep care, nobody may be able to get that file!! # make certs/server.rsa (same passphrase required) Then it's neccesary to generate a key sign request containing the DN describing your server. The CN (common name) should be the hostname of the server. Use the following command: # make certs/server.csr (same passphrase required) That CSR can be used to optain a Thatwe certificate. But for now we sign it by our own CA: # make certs/server.crt (CA passphrase required) Now you'll find in certs: a *.key (encrypted [protected] key) a *.rsa (cleartext [unprotected] key) a *.csr (Certificate Sign Request, needed to generate more certificats (i.e. renew certs) a *.crt (a X.509 certificate) If you plan to use your CA later, first play around with another playCA (or generate a "real" CA later). You'll have to do more jobs, but this is not in scope of this README. Just the first hint: generate a CRL (certification revocation list) which is still empty: # make crl Maybe a # make help helps you a little, maybe not :) Other useful make targets: make server.revoked (revoke that certificate, after that do a make crl and put that new CRL on the WWW-Server), make user.client (makes a user certificate). Please note, all it's some old beta stuff which is not in active development due to lack of time. I think there're other and better solutions... oki, steffen@dett.de