Thank you for the detailed explanation, I will take time to make this work, thanks.
On Thursday, January 16, 2014 3:07:32 PM UTC-6, Richard wrote: > > Except if you need SSL only for your own (as a developper) needs I suggest > you to walk the extra miles and create your own CA and sign you SSL > certificate then you then deploy CA througt GPO with AD and you will not be > bother again about self-signed SSL certificate... > > The link "here" you refer too, seems to talk about what I said... Deploy > self-signed root certificate or CA, not self-signed SSL certificate... > > What is important is that your CA be in p12 or PKCS#12 format that > containt the key and the certificate... > > To generate certificate you can use these command : > > # Create key of root certificate for Certification Authority > openssl genrsa -des3 -out root_certificate.key 2048 -config > /etc/ssl/openssl.cnf > chmod 400 root_certificate.key > cp root_certificate.key /etc/ssl/private/root_certificate.key > # Self-signing of the root certificate key > openssl req -x509 -new -nodes -key root_certificate.key -days 3650 -out > root_certificate.crt -config /etc/ssl/openssl.cnf > cp root_certificate.crt /etc/ssl/certs/root_certificate.crt > # In order to windows and IE to understand the root certificate it needs a > .p12 file that containt key and certificate of the CA > # Here we create a PEM file containing the key and the certificate for our > root CA certificate > cat root_certificate.key root_certificate.crt >> > root_certificate_key_crt.pem > # Then we create the .p12 file > openssl pkcs12 -export -out root_certificate.p12 -in > root_certificate_key_crt.pem -name "SUBDOMAIN CA Certificate PKCS#12" > # Create a SSL certifcate > openssl genrsa -out SUBDOMAIN.key 2048 > chmod 400 SUBDOMAIN.key > # For self-signing certificate (uncomment the lines below if required) > # openssl req -new -x509 -nodes -sha1 -days 3650 -key SUBDOMAIN.key > > SUBDOMAIN.crt > # openssl x509 -noout -fingerprint -text < SUBDOMAIN.crt > > SUBDOMAIN.info > # For SSL signed certificate by Certification Authority you need to issue > a "certificate signing request" from it > openssl req -new -key SUBDOMAIN.key -out SUBDOMAIN.csr > # NOTE : Don't use A challenge password because you will be prompted for > password each time webserver reboot... > # Sign other SSL key with the root certificate key > # openssl x509 -req -in SUBDOMAIN.csr -CA root_certificate.crt -CAkey > root_certificate.key -CAcreateserial -out SUBDOMAIN.crt -days 3650 > # NOTE : This command should work but to make sure the database get > update and a copy of the key with the serial number is create the command > below is better after customize /etc/ssl/openssl.cnf > sudo touch /etc/ssl/CA/index.txt > sudo nano /etc/ssl/CA/serial # and enter "1000" > openssl ca -config /etc/ssl/openssl.cnf -out SUBDOMAIN.crt -infiles > SUBDOMAIN.csr > > # Deployment > sudo mkdir /etc/ssl/CA > sudo mkdir /etc/ssl/newcerts > sudo mkdir /etc/ssl/crl > # Then set the config required in /etc/ssl/openssl.cnf in order to the > root certificate and the SSL certificate get created in place > > > cat SUBDOMAIN.crt root_certificate.crt >> server.crt > cat SUBDOMAIN.key root_certificate.key >> server.key > chmod 400 server.key > > sudo cp server.* /etc/nginx/ssl/ > > > You need to configure OpenSSL (/etc/ssl/openss.cnf) before most execute > most command since it will reduce the typing and error in the process to > create a correct valid root certificate... > > Ref.: > https://help.ubuntu.com/community/OpenSSL > https://help.ubuntu.com/10.04/serverguide/certificates-and-security.html > > http://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file > http://www.digicert.com/ssl-certificate-installation-nginx.htm > http://technet.microsoft.com/en-us/library/cc772491.aspx > > http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/ > > http://twentyeighttwelve.com/setting-up-your-own-certificate-authority-on-iis7-using-openssl-and-securing-your-web-api-with-client-certificates/ > > You can also buy a CA for LAN here, but it is not going to continue for > very long, Goddady stop recently to emit new certificate for LAN : > http://www.instantssl.com/ssl-certificate-products/ssl/ssl-certificate-intranetssl.html?ap=ce046 > Ref.: > http://support.godaddy.com/help/article/6935/phasing-out-intranet-names-and-ip-addresses-in-ssls > > Hope it helps > > :) > > Richard > > > > On Thu, Jan 16, 2014 at 2:12 PM, Keith Planer <[email protected]<javascript:> > > wrote: > >> I understand this link might have some guidance for me, but the link is >> down: http://www.web2py.com/AlterEgo/default/show/140 >> >> -- >> Resources: >> - http://web2py.com >> - http://web2py.com/book (Documentation) >> - http://github.com/web2py/web2py (Source code) >> - https://code.google.com/p/web2py/issues/list (Report Issues) >> --- >> You received this message because you are subscribed to the Google Groups >> "web2py-users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/groups/opt_out. >> > > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
