Except if you need SSL only for your own (as a developper) needs I suggest
you to walk the extra miles and create your own CA and sign you SSL
certificate then you then deploy CA througt GPO with AD and you will not be
bother again about self-signed SSL certificate...
The link "here" you refer too, seems to talk about what I said... Deploy
self-signed root certificate or CA, not self-signed SSL certificate...
What is important is that your CA be in p12 or PKCS#12 format that containt
the key and the certificate...
To generate certificate you can use these command :
# Create key of root certificate for Certification Authority
openssl genrsa -des3 -out root_certificate.key 2048 -config
/etc/ssl/openssl.cnf
chmod 400 root_certificate.key
cp root_certificate.key /etc/ssl/private/root_certificate.key
# Self-signing of the root certificate key
openssl req -x509 -new -nodes -key root_certificate.key -days 3650 -out
root_certificate.crt -config /etc/ssl/openssl.cnf
cp root_certificate.crt /etc/ssl/certs/root_certificate.crt
# In order to windows and IE to understand the root certificate it needs a
.p12 file that containt key and certificate of the CA
# Here we create a PEM file containing the key and the certificate for our
root CA certificate
cat root_certificate.key root_certificate.crt >>
root_certificate_key_crt.pem
# Then we create the .p12 file
openssl pkcs12 -export -out root_certificate.p12 -in
root_certificate_key_crt.pem -name "SUBDOMAIN CA Certificate PKCS#12"
# Create a SSL certifcate
openssl genrsa -out SUBDOMAIN.key 2048
chmod 400 SUBDOMAIN.key
# For self-signing certificate (uncomment the lines below if required)
# openssl req -new -x509 -nodes -sha1 -days 3650 -key SUBDOMAIN.key >
SUBDOMAIN.crt
# openssl x509 -noout -fingerprint -text < SUBDOMAIN.crt >
SUBDOMAIN.info
# For SSL signed certificate by Certification Authority you need to issue a
"certificate signing request" from it
openssl req -new -key SUBDOMAIN.key -out SUBDOMAIN.csr
# NOTE : Don't use A challenge password because you will be prompted for
password each time webserver reboot...
# Sign other SSL key with the root certificate key
# openssl x509 -req -in SUBDOMAIN.csr -CA root_certificate.crt -CAkey
root_certificate.key -CAcreateserial -out SUBDOMAIN.crt -days 3650
# NOTE : This command should work but to make sure the database get
update and a copy of the key with the serial number is create the command
below is better after customize /etc/ssl/openssl.cnf
sudo touch /etc/ssl/CA/index.txt
sudo nano /etc/ssl/CA/serial # and enter "1000"
openssl ca -config /etc/ssl/openssl.cnf -out SUBDOMAIN.crt -infiles
SUBDOMAIN.csr
# Deployment
sudo mkdir /etc/ssl/CA
sudo mkdir /etc/ssl/newcerts
sudo mkdir /etc/ssl/crl
# Then set the config required in /etc/ssl/openssl.cnf in order to the root
certificate and the SSL certificate get created in place
cat SUBDOMAIN.crt root_certificate.crt >> server.crt
cat SUBDOMAIN.key root_certificate.key >> server.key
chmod 400 server.key
sudo cp server.* /etc/nginx/ssl/
You need to configure OpenSSL (/etc/ssl/openss.cnf) before most execute
most command since it will reduce the typing and error in the process to
create a correct valid root certificate...
Ref.:
https://help.ubuntu.com/community/OpenSSL
https://help.ubuntu.com/10.04/serverguide/certificates-and-security.html
http://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file
http://www.digicert.com/ssl-certificate-installation-nginx.htm
http://technet.microsoft.com/en-us/library/cc772491.aspx
http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
http://twentyeighttwelve.com/setting-up-your-own-certificate-authority-on-iis7-using-openssl-and-securing-your-web-api-with-client-certificates/
You can also buy a CA for LAN here, but it is not going to continue for
very long, Goddady stop recently to emit new certificate for LAN :
http://www.instantssl.com/ssl-certificate-products/ssl/ssl-certificate-intranetssl.html?ap=ce046
Ref.:
http://support.godaddy.com/help/article/6935/phasing-out-intranet-names-and-ip-addresses-in-ssls
Hope it helps
:)
Richard
On Thu, Jan 16, 2014 at 2:12 PM, Keith Planer <[email protected]> wrote:
> I understand this link might have some guidance for me, but the link is
> down: http://www.web2py.com/AlterEgo/default/show/140
>
> --
> Resources:
> - http://web2py.com
> - http://web2py.com/book (Documentation)
> - http://github.com/web2py/web2py (Source code)
> - https://code.google.com/p/web2py/issues/list (Report Issues)
> ---
> You received this message because you are subscribed to the Google Groups
> "web2py-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
