Changes

Jump to navigation Jump to search

SSL Certificate (edit)

Revision as of 07:55, 22 November 2017

2,501 bytes added ,  07:55, 22 November 2017
no edit summary
Line 85: Line 85:  
TODO: gunicorn: Poner aqui init.d script<br />
 
TODO: gunicorn: Poner aqui init.d script<br />
 
TODO: Django: http://security.stackexchange.com/questions/8964/trying-to-make-a-django-based-site-use-https-only-not-sure-if-its-secure
 
TODO: Django: http://security.stackexchange.com/questions/8964/trying-to-make-a-django-based-site-use-https-only-not-sure-if-its-secure
 +
 +
= Self Signed option 1 =
 +
<source lang="bash">#!/bin/bash
 +
# TODO: key name as parameter
 +
#KEY_NAME=
 +
 +
VALID_DAYS=3650
 +
die () {
 +
    echo >&2 "$@"
 +
    exit 1
 +
}
 +
 +
[ "$#" -eq 1 ] || die "1 argument required (filename), $# provided"
 +
KEY_NAME=$1
 +
 +
##################  Generate key  ############################################
 +
openssl genrsa -aes256 -out ${KEY_NAME}.key 4096
 +
cp ${KEY_NAME}.key ${KEY_NAME}.key.secure
 +
 +
#################  Remove password from key  #################################
 +
cp ${KEY_NAME}.key ${KEY_NAME}.key.secure
 +
openssl rsa -in ${KEY_NAME}.key.secure -out ${KEY_NAME}.key
 +
 +
#################  Generate CSR (Certificate Signing Request)  ###############
 +
openssl req -new -key ${KEY_NAME}.key -out ${KEY_NAME}.csr
 +
 +
#################  Generate Self-Signed Certificate  #########################
 +
openssl x509 -req -days ${VALID_DAYS} -in ${KEY_NAME}.csr -signkey ${KEY_NAME}.key -out ${KEY_NAME}.crt</source>
 +
 +
= Self Signed Option 2 =
 +
<source lang="markup">1. Copy your openssl.cnf.
 +
 +
  ```
 +
  cp /etc/pki/tls/openssl.cnf ./
 +
  ```
 +
 +
2. Modify the configuration file template at ./openssl.cnf and make the following changes:
 +
  - In section [req]
 +
 
 +
  ```
 +
  req_extensions = v3_req # The extensions to add to a certificate request
 +
  ```
 +
 
 +
- Insection [v3_req]
 +
 +
```
 +
subjectAltName = @alt_names
 +
```
 +
- At the end of the configuraiton file
 +
 +
  ```
 +
[ alt_names ]
 +
  DNS.1 = hostname.example.com
 +
  ```
 +
 +
3. Generate your certificate key
 +
 +
  ```
 +
  openssl genrsa -out hostname.example.com.key 2048
 +
  ```
 +
 +
4. Use the certificate key and the new openssl.cnf file to create a Certificate Signing Request (CSR):
 +
 
 +
  ```
 +
  openssl req -new -key hostname.example.com.key -out hostname.example.com.csr -extensions v3_req -config openssl.cnf
 +
  ```
 +
 
 +
5. You may either use the generated CSR to obtain a signed certificate from a recognized Certificate Authority (CA). Or, for testing purposes, you may use this to generate a self-signed certificate as follows:
 +
  - Create a new configuration file, v3.cnf, that can host the information for the v3 requirements. Edit it to contain the following lines:
 +
 +
  ```
 +
  [v3_req]
 +
  subjectAltName = @alt_names
 +
  [alt_names]
 +
  DNS.1 = hostname.example.com
 +
  ```
 +
 
 +
  - Run the following OpenSSL command to generate a self-signed certificate using the CSR and your local key:
 +
 +
  ```
 +
  openssl x509 -req -days 365 -in hostname.example.com.csr -signkey hostname.example.com.key -out hostname.example.com.crt -extensions v3_req -extfile v3.cnf
 +
  ```</source>
Retrieved from "https://wiki.herrerosolis.com/index.php/Special:MobileDiff/1205"

Navigation menu