[ Team LiB ] |
Recipe 7.3 Generating a Trusted CAProblemYou want to generate SSL keys that browsers will accept without a warning message. SolutionIssue the following commands: % CA.pl -newca % CA.pl -newreq % CA.pl -signreq % CA.pl -pkcs12 DiscussionRecipe 7.2 discusses the lengthy steps that are required to create keys and sign them. Fortunately, OpenSSL comes with a script to automate much of this process, so that you don't have to remember all of those arguments. This script, called CA.pl, is located where your SSL libraries are installed, for example, /usr/share/ssl/misc/CA.pl. The lines in the Solution hide a certain amount of detail, as you will be asked a number of questions in the process of creating the key and the certificate. Note also that you will probably need to be in the directory where this script lives to get successful results from this recipe. If you want to omit the passphrase on the certificate so that you don't have to provide the passphrase each time you start up the server, use -newreq-nodes rather than -newreq when generating the certificate request. After running this sequence of commands, you can generate more certificates by repeating the -newreq and -signreq commands. Having run these commands, you will have generated a number of files. The file newcert.pem is the file you specify in your SSLCertificateFile directive, the file newreq.pem is your SSLCertificateKeyFile, and the file demoCA/cacert.pem is the CA certificate file, which will need to be imported into your users' browsers (for some browsers) so that they can automatically trust certificates signed by this CA. And, finally, newcert.p12 serves the same purpose as demoCA/cacert.pem for certain other browsers. Importing the CAIf your users are using Internet Explorer, you need to create a special file for them to import. Use the following command: openssl X509 -demoCA/cacert.pem -out cacert.crt -outform DER Then you can send them the cacert.crt file. Clicking on that file will launch the SSL certificate wizard and guide the user through installing the CA certificate into their browser. Other browsers, such as Mozilla, expect to directly import the cacert.pem file. Users will navigate through their menus (Edit xxxrarrxxx Preferences xxxrarrxxx Privacy and Security xxxrarrxxx Certificates), then click on Manage Certificates, then on the Authorities tab, and finally on Import, to select the certificate file. After importing a CA certificate, all certificates signed by that CA should be usable in your browser without receiving any kind of warning. See Also
|
[ Team LiB ] |