I combined all the instructions for the certificate generation. I still had no chance to verify that they are valid for federation, but at least they seem to work OK.
--Generate encrypted private key. You will be asked for passphrase, make sure it is at least 10 characters. openssl genrsa -des3 -out example.com.encrypted.key 2048 --Generate certificate request, you will be asked for passphrase from above. After that you will be asked to fill in a bunch of details. IMPORTANT - the Common Name should be in the form wave.example.com. openssl req -new -key example.com.encrypted.key -out example.com.csr --With this certificate you can go to https://www.startssl.com. Sign in, or sign up. To sign up you will need to provide email that you can validate, then log out and log in again - click in Authenticate - you will be asked for (email)certificate that was generated in the sign up process. Go to control panel. Click on the Validations Wizard and choose Domain Name Validation where you have to validate you domain, i.e. example com. After that, go to Certificates Wizard and choose XMPP certificate. In the private key generation step you should click on "skip" and in the next step paste the certificate request that was generated earlier, i.e. contents of the example.com.csr. After that proceed to choose your domain, i.e. example.com, in the subdomain you need to enter "wave", i.e. http://wave.example.com. Click on continue untill finish. After that you will have your signed certificate. Save it as example.com.crt. You will also need you intermediate certificate - i.e. sub.class1.server.ca.pem and the Certification Authority certificate - ca.pem. You can download them from the site: ToolBox- >StartCom CA Certificates. So by now you have 5 files: example.com.encrypted.key example.com.crt example.com.csr sub.class1.server.ca.pem ca.pem Make sure to backup the private key and signed certificate (example.com.encrypted.key example.com.crt) and put it somewhere in a safe place. But we are not done yet. Now let's remove the passphrase from the private key with: openssl rsa -in example.com.encrypted.key -out example.com.nonencrypted.key --then convert the key to a different format with: openssl pkcs8 -topk8 -nocrypt -in example.com.nonencrypted.key -out example.com.key -- Now we have the private key we can use with waveinabox server and a certificate signed by StartCom. On Oct 18, 7:11 pm, Vega <[email protected]> wrote: > Well, I guess if someone would like to host waveinabox server that > would accept these certificates - nothing can stop him - after all the > source is open :) > > On Oct 18, 6:35 pm, Peter Saint-Andre <[email protected]> wrote: > > > > > On 10/18/10 9:08 AM, Vega wrote: > > > > Is it possible to consider to add CAcert to the default trust roots? > > > It can allow another option in addition to StartCom. Moreover CAcert > > > is totally free and more flexible and therefore more suits the Wave > > > nature. > > > The point of a CA is not to be free and flexible, but to be secure. > > > Peter > > > -- > > Peter Saint-Andrehttps://stpeter.im/ > > > smime.p7s > > 8KViewDownload -- You received this message because you are subscribed to the Google Groups "Wave Protocol" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/wave-protocol?hl=en.
