Generating SSL certs with ACF: Difference between revisions

From Alpine Linux
Line 57: Line 57:


<tt>3.subjectAltName_default = 192.168.1.1/32</tt>
<tt>3.subjectAltName_default = 192.168.1.1/32</tt>
=== Extract PFX certificate ===
To get the CA CERT
<tt>openssl pkcs12 -in PFXFILE -cacerts -nokeys -out cacert.pem</tt>
To get the Private Key
<tt>openssl pkcs12 -in PFXFILE -nocerts -nodes -out mykey.pem</tt>
To get the Certificate
<tt>openssl pkcs12 -in PFXFILE -nokeys -clcerts -out mycert.pem</tt>
Display the cert or key readable/text format
<tt>openssl x509 -in newcert.pem -noout -text</tt>

Revision as of 20:40, 13 May 2009

Creating SSL certs using ACF

You are in need of creating certificate for remote persons. You might use something like openvpn or racoon for your vpn services. But wouldn't it be nice to have some sort of way to manage and view all the certs you have given to everyone? Revoke the certs? Review the certificate before you issue it? Alpine, via the ACF, has a nice web interface to use for this sort of job...

Installation Process

This will somewhat guide you through the process of creating this type of server. It is suggested to not host this on you VPN gateway but use another machine to generate your certificates.

Install Alpine

Link below to the standard document...

Installing_Alpine

Install and Configure ACF

Run the following command: This will install the web front end to Alpine Linux, called ACF.

/sbin/setup-webconf

Install acf-openssl

Browse to your computer https://ipaddr/

Login as default alpine user password test123

Click on the User Management tab and change the password.

Also make sure to create yourself an account.

Acf-openssl

Under the Applications section you should now have a Certificate Authority link. Click on this.

It should open with the Status tab. You will see a lot of red error messages.

You need to create the CA you are going to use.

This needs to be done on the alpine machine. You may already have a CA and key created.

The following command will need a password. Make sure to remember this.

openssl genrsa -des3 -out server.key 2048

openssl req -new -key server.key -out server.csr

openssl rsa -in server.key. -out server.pem

openssl x509 -req -days 365 -in server.csr -signkey server.pem -out cacert.pem

mkdir /etc/ssl/private;mkdir /etc/ssl/req/;mkdir /etc/ssl/cert;echo "7" > /etc/ssl/serial;touch /etc/ssl/index.txt;

mv server.pem /etc/ssl/private; mv cacert.pem /etc/ssl/

Edits to /etc/ssl/openssl-ca-acf.cnf

If you need to add any subjectAltName value edit the openssl-ca-acf.cnf file add and a simlar entry

3.subjectAltName = Assigned IP Address

3.subjectAltName_default = 192.168.1.1/32


Extract PFX certificate

To get the CA CERT openssl pkcs12 -in PFXFILE -cacerts -nokeys -out cacert.pem

To get the Private Key openssl pkcs12 -in PFXFILE -nocerts -nodes -out mykey.pem

To get the Certificate openssl pkcs12 -in PFXFILE -nokeys -clcerts -out mycert.pem

Display the cert or key readable/text format

openssl x509 -in newcert.pem -noout -text