HostedDB - Dedicated UNIX Servers

Securing-Optimizing-RH-Linux-1_2_290
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca © Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ® 290 Generating RSA private key, 1024 bit long modulus  ......................+++++ .....+++++ e is 65537 (0x10001) Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: Please backup this server.key file and remember the pass-phrase you had to enter at a secure location. 1.2  Generate a Certificate Signing Request (CSR) with the server RSA private key. [root@deep ssl]#  openssl req -new -key server.key -out server.csr Using configuration from /etc/ssl/openssl.cnf Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CA]: State or Province Name (full name) [Quebec]: Locality Name (eg, city) [Montreal]: Organization Name (eg, company) [Open Network Architecture]: Organizational Unit Name (eg, section) [Internet Department]: Common Name (eg, YOUR name) [www.openarch.com]: Email Address [admin@openarch.com]: Please enter the following 'extra' attributes  to be sent with your certificate request A challenge password []:. An optional company name []:. NOTE: Make sure you enter the FQDN “Fully Qualified Domain Name” of the server when OpenSSL prompts you for the “CommonName”, i.e. when you generate a CSR for a website which will be later accessed via https://www.mydomain.com/, enter www.mydomain.com here. After generation of your Certificate Signing Request (CSR), you have two choices: the first is to send this certificate to a commercial Certifying Authority (CA) like Verisign or Thawte for signing. You usually have to post the CSR into a web form, pay for the signing, await the signed Certificate and store it into a “server.crt” file. The result is then a real Certificate, which can be used for Apache. Second you can use your own CA and now have to sign the CSR yourself by this CA. This solution is economic and allows organization to host their own CA server and generate as many certificates they need for internal use without paying any cent to a commercial CA. Unfortunately using your own CA to generate certificates cause problem in electronic commerce because customers need to have some trust in your organization by the use of recognized commercial CA. See bellow on how to sign a CSR with your CA yourself. 1.3  Create a RSA private key for your (CA). [root@deep ssl]#  openssl genrsa -des3 -out ca.key 1024 Generating RSA private key, 1024 bit long modulus  ...........................+++++