Generating SSL certs with ACF: Difference between revisions
Line 33: | Line 33: | ||
It should open with the Status tab. You will see a lot of red error messages. | It should open with the Status tab. You will see a lot of red error messages. | ||
If you already have a CA that you would like to have the web interface manage just go to the Status page. At the bottom click on Configure. | |||
Go to the Edit Defaults tab. Input the Items that will be needed for the CA and any other certs generated from it. | |||
Click Save. | |||
Go back to the Status tab. Click Configure. If you have already clicked configure then it may just prompt you for the input boxes to upload or generate a CA. | |||
====OpenSSL command line to create your CA ==== | |||
The following command will need a password. Make sure to remember this. | The following command will need a password. Make sure to remember this. | ||
Line 46: | Line 52: | ||
<tt>openssl x509 -req -days 365 -in server.csr -signkey server.pem -out cacert.pem</tt> | <tt>openssl x509 -req -days 365 -in server.csr -signkey server.pem -out cacert.pem</tt> | ||
<tt>mv server.pem /etc/ssl/private; mv cacert.pem /etc/ssl/</tt> | <tt>mv server.pem /etc/ssl/private; mv cacert.pem /etc/ssl/</tt> |
Revision as of 13:15, 14 May 2009
Creating SSL certs using ACF
You are in need of creating certificate for remote persons. You might use something like openvpn or racoon for your vpn services. But wouldn't it be nice to have some sort of way to manage and view all the certs you have given to everyone? Revoke the certs? Review the certificate before you issue it? Alpine, via the ACF, has a nice web interface to use for this sort of job...
Installation Process
This will somewhat guide you through the process of creating this type of server. It is suggested to not host this on you VPN gateway but use another machine to generate your certificates.
Install Alpine
Link below to the standard document...
Install and Configure ACF
Run the following command: This will install the web front end to Alpine Linux, called ACF.
/sbin/setup-webconf
Install acf-openssl
Browse to your computer https://ipaddr/
Login as default alpine user password test123
Click on the User Management tab and change the password.
Also make sure to create yourself an account.
Acf-openssl
Under the Applications section you should now have a Certificate Authority link. Click on this.
It should open with the Status tab. You will see a lot of red error messages.
If you already have a CA that you would like to have the web interface manage just go to the Status page. At the bottom click on Configure.
Go to the Edit Defaults tab. Input the Items that will be needed for the CA and any other certs generated from it.
Click Save.
Go back to the Status tab. Click Configure. If you have already clicked configure then it may just prompt you for the input boxes to upload or generate a CA.
OpenSSL command line to create your CA
The following command will need a password. Make sure to remember this.
openssl genrsa -des3 -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl rsa -in server.key. -out server.pem
openssl x509 -req -days 365 -in server.csr -signkey server.pem -out cacert.pem
mv server.pem /etc/ssl/private; mv cacert.pem /etc/ssl/
Edits to /etc/ssl/openssl-ca-acf.cnf
If you need to add any subjectAltName value edit the openssl-ca-acf.cnf file add and a simlar entry
3.subjectAltName = Assigned IP Address
3.subjectAltName_default = 192.168.1.1/32
Extract PFX certificate
To get the CA CERT
openssl pkcs12 -in PFXFILE -cacerts -nokeys -out cacert.pem
To get the Private Key
openssl pkcs12 -in PFXFILE -nocerts -nodes -out mykey.pem
To get the Certificate
openssl pkcs12 -in PFXFILE -nokeys -clcerts -out mycert.pem
Display the cert or key readable/text format
openssl x509 -in mycert.pem -noout -text