HostedDB - Dedicated UNIX Servers

Securing-Optimizing-RH-Linux-1_2_288
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca © Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ® 288 # RAW DER hex encoding of an extension: beware experts only! # 1.2.3.5=RAW:02:03 # You can even override a supported extension: # basicConstraints= critical, RAW:30:03:01:01:FF [ crl_ext ] # CRL extensions. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always  NOTE: This file “openssl.cnf” already exist on your server when you compile and install OpenSSL program and can be found under “/etc/ssl/” directory. You don’t need to change all the default options set in this file, the configurations you may usually change will be in the  [ CA_default ] and [ req_distinguished_name ] sections only. Create the “/usr/bin/sign.sh” program file The “openssl ca” commands has some strange requirements and the default OpenSSL config doesn't allow one easily to use “openssl ca'' directly. So we’ll create this “sign.sh” program to replace it. Create the sign.sh program file (touch /usr/bin/sign.sh) and add on this file: #!/bin/sh ## ##  sign.sh -- Sign a SSL Certificate Request (CSR) ##  Copyright (c) 1998-1999 Ralf S. Engelschall, All Rights Reserved.   ## #   argument line handling CSR=$1 if [ $# -ne 1 ]; then     echo "Usage: sign.sign <whatever>.csr"; exit 1  fi if [ ! -f $CSR ]; then     echo "CSR not found: $CSR"; exit 1 fi case $CSR in    *.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;        * ) CERT="$CSR.crt" ;; esac #   make sure environment exists  if [ ! -d ca.db.certs ]; then     mkdir ca.db.certs  fi if [ ! -f ca.db.serial ]; then     echo '01' >ca.db.serial fi if [ ! -f ca.db.index ]; then     cp /dev/null ca.db.index fi #   create an own SSLeay config cat >ca.config <<EOT [ ca ]