RE: Certificates

Tue, 20 May 2008 07:40:13 -0700 

Dear,

Sorry, I must do it because we need a SSO server and has no experience with
ssl.
I get a fault at point 3.)
 
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Velpi
Sent: donderdag 15 mei 2008 14:28
To: Yale CAS mailing list
Subject: Re: Certificates

> Am I right ?  1.) I must first create a CA via openssl. 2.) Then I must 
> create a csr via keytool 3.) Then I must sign the csr via openssl 4.) 
> Import the certificate in the cacerts file   Thanks, Luk, 

If in '4' you mean the CA's certificate then yes.

more detailed (not tested, but should work):

1) create CA key+cert (preferably a lot more than 365days, certainly 
more than the validity of the certificate you'll sign with the CA):
$ openssl req -new -x509 -out MYCA.cert -keyout MYCA.key -days 1095 
-config openssl.cnf

2) create CSR:
$ openssl req -nodes -new -x509 -out MYLOCAL.csr -keyout MYLOCAL.key 
-days 365 -config openssl.cnf

3) sign CSR with my own shiny CA
$ openssl x509 -req -in MYLOCAL.csr -CA MYCA.crt -CAkey MYCA.key 
-CAcreateserial -out MYLOCAL.crt -days 365

22860:error:0906D06C:PEM routines:PEM_read_bio:no start
line:/on10/build-nd/G10U
4B0/usr/src/common/openssl/crypto/pem/pem_lib.c:637:Expecting: CERTIFICATE
REQUEST

I enter the right csr file and for the points before my cn is the
hostname.domain. Must I configure something ?
------------------------------------------

4) import certificate in cacerts:
$ keytool -import -trustcacerts -alias "MyShinyCA" -file CA.crt 
-keystore $JAVA_HOME/lib/security/cacerts
("changeit")

Then install all certificates and restart the services that use them. It 
should be nearly copy/paste now ;).

Good luck!

-- 
/---------------------------------------------
| Jan "Velpi" Van der Velpen
| [EMAIL PROTECTED] || +32 (0) 498 61 24 89
\---------------------------------------------
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas



_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas

Reply via email to