HostedDB - Dedicated UNIX Servers

Securing-Optimizing-RH-Linux-1_2_291
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca © Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ® 291 ............................................+++++ e is 65537 (0x10001) Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: Please backup this ca.key file and remember the pass-phrase you had to enter at a secure location. 1.4  Create a self-signed (CA) certificate (x509 structure) with the RSA key of the CA. [root@deep ssl]#  openssl req -new -x509 -days 365 -key ca.key -out ca.crt Using configuration from /etc/ssl/openssl.cnf Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CA]: State or Province Name (full name) [Quebec]: Locality Name (eg, city) [Montreal]: Organization Name (eg, company) [Open Network Architecture]: Organizational Unit Name (eg, section) [Internet Department]:CA Marketing Common Name (eg, YOUR name) [www.openarch.com]: Email Address [admin@openarch.com]: [root@deep ssl]#  mv server.key private/ [root@deep ssl]#  mv ca.key private/ [root@deep ssl]# mv ca.crt certs/ NOTE: The “req” command creates a self-signed certificate when the -x509 switch is used. 1.5  Signing a certificate request. (We create and use our own Certificate Authority (CA)) Prepare a script for signing which is needed because the “openssl ca'' command has some strange requirements and the default OpenSSL config doesn't allow one easily to use “openssl ca'' directly. So a script named  sign.sh is distributed with the floppy disk under openssl directory. Use this script for signing. Now you can use this CA to sign server CSR's in order to create real SSL Certificates for use inside an Apache Webserver (assuming you already have a server.csr at hand): [root@deep ssl]#  /usr/bin/sign.sh server.csr CA signing: server.csr -> server.crt: Using configuration from ca.config Enter PEM pass phrase: Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows  countryName             :PRINTABLE:'CA' stateOrProvinceName     :PRINTABLE:'Quebec' localityName            :PRINTABLE:'Montreal' organizationName        :PRINTABLE:'Open Network Architecture' organizationalUnitName :PRINTABLE:'Internet Department' commonName              :PRINTABLE:'www.openarch.com' emailAddress            :IA5STRING:'admin@openarch.com'