I do not think you need a CA, but if you do, there is a PKI (and CA) for web2py, I created for personal needs. It allows you to create server certificate and manage client certificates.
https://code.google.com/p/simpatica/ No instructions, the code is simple as it is the interface, and there are just 2 requirements besides web2py: - pyopenssl - M2Crypto mic 2014/1/17 Keith Planer <[email protected]> > Thank you for the detailed explanation, I will take time to make this > work, thanks. > > > On Thursday, January 16, 2014 3:07:32 PM UTC-6, Richard wrote: > >> Except if you need SSL only for your own (as a developper) needs I >> suggest you to walk the extra miles and create your own CA and sign you SSL >> certificate then you then deploy CA througt GPO with AD and you will not be >> bother again about self-signed SSL certificate... >> >> The link "here" you refer too, seems to talk about what I said... Deploy >> self-signed root certificate or CA, not self-signed SSL certificate... >> >> What is important is that your CA be in p12 or PKCS#12 format that >> containt the key and the certificate... >> >> To generate certificate you can use these command : >> >> # Create key of root certificate for Certification Authority >> openssl genrsa -des3 -out root_certificate.key 2048 -config >> /etc/ssl/openssl.cnf >> chmod 400 root_certificate.key >> cp root_certificate.key /etc/ssl/private/root_certificate.key >> # Self-signing of the root certificate key >> openssl req -x509 -new -nodes -key root_certificate.key -days 3650 -out >> root_certificate.crt -config /etc/ssl/openssl.cnf >> cp root_certificate.crt /etc/ssl/certs/root_certificate.crt >> # In order to windows and IE to understand the root certificate it needs >> a .p12 file that containt key and certificate of the CA >> # Here we create a PEM file containing the key and the certificate for >> our root CA certificate >> cat root_certificate.key root_certificate.crt >> >> root_certificate_key_crt.pem >> # Then we create the .p12 file >> openssl pkcs12 -export -out root_certificate.p12 -in >> root_certificate_key_crt.pem -name "SUBDOMAIN CA Certificate PKCS#12" >> # Create a SSL certifcate >> openssl genrsa -out SUBDOMAIN.key 2048 >> chmod 400 SUBDOMAIN.key >> # For self-signing certificate (uncomment the lines below if required) >> # openssl req -new -x509 -nodes -sha1 -days 3650 -key SUBDOMAIN.key > >> SUBDOMAIN.crt >> # openssl x509 -noout -fingerprint -text < SUBDOMAIN.crt > >> SUBDOMAIN.info >> # For SSL signed certificate by Certification Authority you need to issue >> a "certificate signing request" from it >> openssl req -new -key SUBDOMAIN.key -out SUBDOMAIN.csr >> # NOTE : Don't use A challenge password because you will be prompted for >> password each time webserver reboot... >> # Sign other SSL key with the root certificate key >> # openssl x509 -req -in SUBDOMAIN.csr -CA root_certificate.crt -CAkey >> root_certificate.key -CAcreateserial -out SUBDOMAIN.crt -days 3650 >> # NOTE : This command should work but to make sure the database get >> update and a copy of the key with the serial number is create the command >> below is better after customize /etc/ssl/openssl.cnf >> sudo touch /etc/ssl/CA/index.txt >> sudo nano /etc/ssl/CA/serial # and enter "1000" >> openssl ca -config /etc/ssl/openssl.cnf -out SUBDOMAIN.crt -infiles >> SUBDOMAIN.csr >> >> # Deployment >> sudo mkdir /etc/ssl/CA >> sudo mkdir /etc/ssl/newcerts >> sudo mkdir /etc/ssl/crl >> # Then set the config required in /etc/ssl/openssl.cnf in order to the >> root certificate and the SSL certificate get created in place >> >> >> cat SUBDOMAIN.crt root_certificate.crt >> server.crt >> cat SUBDOMAIN.key root_certificate.key >> server.key >> chmod 400 server.key >> >> sudo cp server.* /etc/nginx/ssl/ >> >> >> You need to configure OpenSSL (/etc/ssl/openss.cnf) before most execute >> most command since it will reduce the typing and error in the process to >> create a correct valid root certificate... >> >> Ref.: >> https://help.ubuntu.com/community/OpenSSL >> https://help.ubuntu.com/10.04/serverguide/certificates-and-security.html >> http://serverfault.com/questions/9708/what-is-a-pem- >> file-and-how-does-it-differ-from-other-openssl-generated-key-file >> http://www.digicert.com/ssl-certificate-installation-nginx.htm >> http://technet.microsoft.com/en-us/library/cc772491.aspx >> http://datacenteroverlords.com/2012/03/01/creating-your- >> own-ssl-certificate-authority/ >> http://twentyeighttwelve.com/setting-up-your-own- >> certificate-authority-on-iis7-using-openssl-and-securing- >> your-web-api-with-client-certificates/ >> >> You can also buy a CA for LAN here, but it is not going to continue for >> very long, Goddady stop recently to emit new certificate for LAN : >> http://www.instantssl.com/ssl-certificate-products/ssl/ >> ssl-certificate-intranetssl.html?ap=ce046 >> Ref.:http://support.godaddy.com/help/article/6935/phasing- >> out-intranet-names-and-ip-addresses-in-ssls >> >> Hope it helps >> >> :) >> >> Richard >> >> >> >> On Thu, Jan 16, 2014 at 2:12 PM, Keith Planer <[email protected]> wrote: >> >>> I understand this link might have some guidance for me, but the link is >>> down: http://www.web2py.com/AlterEgo/default/show/140 >>> >>> -- >>> Resources: >>> - http://web2py.com >>> - http://web2py.com/book (Documentation) >>> - http://github.com/web2py/web2py (Source code) >>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "web2py-users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >> >> -- > Resources: > - http://web2py.com > - http://web2py.com/book (Documentation) > - http://github.com/web2py/web2py (Source code) > - https://code.google.com/p/web2py/issues/list (Report Issues) > --- > You received this message because you are subscribed to the Google Groups > "web2py-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
