Manualshelf

Setup guide

ManualsBrandsApple ManualsNetwork CardMac OS X Server
41424344454647484950
sudo openssl req -new -x509 -days 365 -key ca.key -out ca.crt
When prompted, enter a strong passphrase for the key, as well as these fields:
Country Name: Organizational Unit:
State or Province Name: Common Name:
Locality Name (city): Email Address:
Organization Name:
These fields should be filled out as accurately as possible, but those that don't apply
may be left blank. At least one field must be filled in.
This creates a self-signed certificate called ca.crt, using the keys in ca.key, which
is valid for a year (365 days). This limit may be set to a longer period of time,
although this is less secure. The issue is similar to changing passwords regularly; a
balance must be found between convenience and security.
We now have a Certificate Authority and are almost ready to start signing other
servers’ certificates. When signing certificates, OpenSSL looks for keys and related
information in directories specified in its configuration file openssl.cnf, which is
found in /System/Library/OpenSSL on Mac OS X systems and frequently in
/usr/share/ssl on other systems. To create the directories and files where it
expects to find them by default, issue the following commands as an administrator:
cd /usr/share/certs
mkdir -p demoCA/private
cp ca.key demoCA/private/cakey.pem
cp ca.crt demoCA/cacert.pem
mkdir demoCA/newcerts
touch demoCA/index.txt
echo "01" > demoCA/serial
Now the CA is ready to sign certificates for servers, enabling encrypted
communications between servers and clients.
4.4.1.2 Creating an SSL Certificate for Web Services
If you’ve set up your own CA as described in the previous section, you can now sign
your own web server SSL certificates. First, a separate certificate must be created for
each domain name. For example, if a secure web page exists at www.mypage.net and
a secure mail server is at mail.mypage.net, two certificates are needed. This is
because the SSL protocol uses the certificate’s Common Name field to verify the
domain name.
On the machine set up as a CA, generate a key pair for the web server:
cd /usr/share/certs
sudo openssl genrsa -des3 -out webserver.key 2048
35
UNCLASSIFIED