I had to "fink remove openssl097 openssl097-dev" to use Apple's version of OpenSSL instead of Fink's. Normally you'd do this as root on a dedicated machine. pepper@pepperbook:~$ sudo cp -p /System/Library/OpenSSL/openssl.cnf /System/Library/OpenSSL/openssl.cnf.orig pepper@pepperbook:~$ bbedit /System/Library/OpenSSL/openssl.cnf pepper@pepperbook:~$ bbedit /System/Library/OpenSSL/openssl.cnf.20061019 pepper@pepperbook:~$ diff -u /System/Library/OpenSSL/openssl.cnf.orig /System/Library/OpenSSL/openssl.cnf --- /System/Library/OpenSSL/openssl.cnf.orig 2006-10-19 01:04:35.000000000 -0400 +++ /System/Library/OpenSSL/openssl.cnf 2006-10-19 01:06:38.000000000 -0400 @@ -34,12 +34,12 @@ #################################################################### [ CA_default ] -dir = ./demoCA # Where everything is kept +dir = /CA/reppep certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of - # several ctificates with same subject. + # several certificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate @@ -122,17 +122,18 @@ [ req_distinguished_name ] countryName = Country Name (2 letter code) -countryName_default = AU +countryName_default = US countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Some-State +stateOrProvinceName_default = New York localityName = Locality Name (eg, city) +localityName_default = Brooklyn 0.organizationName = Organization Name (eg, company) -0.organizationName_default = Internet Widgits Pty Ltd +0.organizationName_default = reppep # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) @@ -145,6 +146,7 @@ commonName_max = 64 emailAddress = Email Address +emailAddress_default = webmaster@reppep.com emailAddress_max = 64 # SET-ex3 = SET extension number 3 pepper@pepperbook:~$ sudo mkdir -p /CA/reppep/private /CA/reppep/certs /CA/reppep/newcerts Password: pepper@pepperbook:~$ sudo chown -R pepper /CA pepper@pepperbook:~$ echo 01 > /CA/reppep/serial pepper@pepperbook:~$ touch /CA/reppep/index.txt pepper@pepperbook:~$ openssl req -new -x509 -days 3660 -keyout /CA/reppep/private/cakey.pem -out /CA/reppep/cacert.pem # 10 years + leap years + fudge factor Generating a 1024 bit RSA private key ..............................................................++++++ .................................++++++ writing new private key to '/CA/reppep/private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [New York]: Locality Name (eg, city) [Brooklyn]: Organization Name (eg, company) [reppep]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:ca.reppep.com Email Address [webmaster@reppep.com]: pepper@pepperbook:~$ md5 /CA/reppep/private/cakey.pem /CA/reppep/cacert.pem MD5 (/CA/reppep/private/cakey.pem) = 3ba8443a14690b0f171b3dcd1f40022f MD5 (/CA/reppep/cacert.pem) = 3bf7a3fa28cfc9225504728da687f358 pepper@pepperbook:~$ cert.sh test.reppep.com.20061019 Generating RSA private key, 512 bit long modulus .............++++++++++++ ..........................++++++++++++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [New York]: Locality Name (eg, city) [Brooklyn]: Organization Name (eg, company) [reppep]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:test.reppep.com Email Address [webmaster@reppep.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /System/Library/OpenSSL/openssl.cnf Enter pass phrase for /CA/reppep/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Oct 19 05:38:07 2006 GMT Not After : Oct 19 05:38:07 2007 GMT Subject: countryName = US stateOrProvinceName = New York organizationName = reppep commonName = test.reppep.com emailAddress = webmaster@reppep.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 7D:FD:A5:B5:16:AE:9B:54:8E:78:F0:41:22:FB:C2:DF:4B:2B:DB:AA X509v3 Authority Key Identifier: keyid:61:56:20:22:63:C4:11:32:97:E5:70:A9:C6:88:B3:1D:E4:A4:8D:6F DirName:/C=US/ST=New York/L=Brooklyn/O=reppep/CN=ca.reppep.com/emailAddress=webmaster@reppep.com serial:C7:CB:46:04:46:EF:F5:BD Certificate is to be certified until Oct 19 05:38:07 2007 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Your files are: -rw------- 1 pepper admin 3204 Oct 19 01:38 test.reppep.com.20061019.crt -rw------- 1 pepper admin 509 Oct 19 01:38 test.reppep.com.20061019.csr -rw------- 1 pepper admin 497 Oct 19 01:37 test.reppep.com.20061019.key On your workstation; cd to a safe place for the cert, key, & CSR. To download the files, use: scp root@caserver:/CA/reppep/certs/test.reppep.com.20061019.crt root@caserver:/CA/reppep/certs/test.reppep.com.20061019.key root@caserver:/CA/reppep/certs/test.reppep.com.20061019.csr ./ pepper@pepperbook:~$
The CA certificate's SHA1 fingerprint is BC DD 37 00 38 C7 F4 48 F6 87 E4 BC C1 1A 1D 5F 2E 6F D2 3A. Generate a Server Certificate To create a new certificate, log into beckham as root/rucsroot and run /usr/local/bin/cert.sh. We do not use the "challenge password" or "optional company name" fields, so please skip these. OpenSSL creates a copy of each signed certificate in newcerts/, presumably so automation can run without access to the 'real' certs directory. Client Installation First, get the RU CA certificate: ru-ca.crt. It may be necessary to restart the browser before it will trust the certificate. Firefox Go to Preferences:Advanced:Security:View Certificates:Authorities:Import, and trust this signer (beckham) for web sites. Safari Double-click ru-ca.crt. In Keychain Access, select the X509 Anchors keychain, and import the certificate; then restart Safari. IE 6 Clicking on the ru-ca.crt link prompts to Open or Save ru-ca.cer. The Open button provides an Install Certificate... wizard.