That is really nice Michele, thanks for sharing this... Richard
On Fri, Jan 17, 2014 at 12:37 PM, Michele Comitini < [email protected]> wrote: > I do not think you need a CA, but if you do, there is a PKI (and CA) for > web2py, I created for personal needs. > It allows you to create server certificate and manage client certificates. > > https://code.google.com/p/simpatica/ > > No instructions, the code is simple as it is the interface, and there are > just 2 requirements besides web2py: > - pyopenssl > - M2Crypto > > mic > > > 2014/1/17 Keith Planer <[email protected]> > >> Thank you for the detailed explanation, I will take time to make this >> work, thanks. >> >> >> On Thursday, January 16, 2014 3:07:32 PM UTC-6, Richard wrote: >> >>> Except if you need SSL only for your own (as a developper) needs I >>> suggest you to walk the extra miles and create your own CA and sign you SSL >>> certificate then you then deploy CA througt GPO with AD and you will not be >>> bother again about self-signed SSL certificate... >>> >>> The link "here" you refer too, seems to talk about what I said... Deploy >>> self-signed root certificate or CA, not self-signed SSL certificate... >>> >>> What is important is that your CA be in p12 or PKCS#12 format that >>> containt the key and the certificate... >>> >>> To generate certificate you can use these command : >>> >>> # Create key of root certificate for Certification Authority >>> openssl genrsa -des3 -out root_certificate.key 2048 -config >>> /etc/ssl/openssl.cnf >>> chmod 400 root_certificate.key >>> cp root_certificate.key /etc/ssl/private/root_certificate.key >>> # Self-signing of the root certificate key >>> openssl req -x509 -new -nodes -key root_certificate.key -days 3650 -out >>> root_certificate.crt -config /etc/ssl/openssl.cnf >>> cp root_certificate.crt /etc/ssl/certs/root_certificate.crt >>> # In order to windows and IE to understand the root certificate it needs >>> a .p12 file that containt key and certificate of the CA >>> # Here we create a PEM file containing the key and the certificate for >>> our root CA certificate >>> cat root_certificate.key root_certificate.crt >> >>> root_certificate_key_crt.pem >>> # Then we create the .p12 file >>> openssl pkcs12 -export -out root_certificate.p12 -in >>> root_certificate_key_crt.pem -name "SUBDOMAIN CA Certificate PKCS#12" >>> # Create a SSL certifcate >>> openssl genrsa -out SUBDOMAIN.key 2048 >>> chmod 400 SUBDOMAIN.key >>> # For self-signing certificate (uncomment the lines below if required) >>> # openssl req -new -x509 -nodes -sha1 -days 3650 -key SUBDOMAIN.key >>> > SUBDOMAIN.crt >>> # openssl x509 -noout -fingerprint -text < SUBDOMAIN.crt > >>> SUBDOMAIN.info >>> # For SSL signed certificate by Certification Authority you need to >>> issue a "certificate signing request" from it >>> openssl req -new -key SUBDOMAIN.key -out SUBDOMAIN.csr >>> # NOTE : Don't use A challenge password because you will be prompted for >>> password each time webserver reboot... >>> # Sign other SSL key with the root certificate key >>> # openssl x509 -req -in SUBDOMAIN.csr -CA root_certificate.crt >>> -CAkey root_certificate.key -CAcreateserial -out SUBDOMAIN.crt -days 3650 >>> # NOTE : This command should work but to make sure the database get >>> update and a copy of the key with the serial number is create the command >>> below is better after customize /etc/ssl/openssl.cnf >>> sudo touch /etc/ssl/CA/index.txt >>> sudo nano /etc/ssl/CA/serial # and enter "1000" >>> openssl ca -config /etc/ssl/openssl.cnf -out SUBDOMAIN.crt -infiles >>> SUBDOMAIN.csr >>> >>> # Deployment >>> sudo mkdir /etc/ssl/CA >>> sudo mkdir /etc/ssl/newcerts >>> sudo mkdir /etc/ssl/crl >>> # Then set the config required in /etc/ssl/openssl.cnf in order to the >>> root certificate and the SSL certificate get created in place >>> >>> >>> cat SUBDOMAIN.crt root_certificate.crt >> server.crt >>> cat SUBDOMAIN.key root_certificate.key >> server.key >>> chmod 400 server.key >>> >>> sudo cp server.* /etc/nginx/ssl/ >>> >>> >>> You need to configure OpenSSL (/etc/ssl/openss.cnf) before most execute >>> most command since it will reduce the typing and error in the process to >>> create a correct valid root certificate... >>> >>> Ref.: >>> https://help.ubuntu.com/community/OpenSSL >>> https://help.ubuntu.com/10.04/serverguide/certificates-and-security.html >>> http://serverfault.com/questions/9708/what-is-a-pem- >>> file-and-how-does-it-differ-from-other-openssl-generated-key-file >>> http://www.digicert.com/ssl-certificate-installation-nginx.htm >>> http://technet.microsoft.com/en-us/library/cc772491.aspx >>> http://datacenteroverlords.com/2012/03/01/creating-your- >>> own-ssl-certificate-authority/ >>> http://twentyeighttwelve.com/setting-up-your-own- >>> certificate-authority-on-iis7-using-openssl-and-securing- >>> your-web-api-with-client-certificates/ >>> >>> You can also buy a CA for LAN here, but it is not going to continue for >>> very long, Goddady stop recently to emit new certificate for LAN : >>> http://www.instantssl.com/ssl-certificate-products/ssl/ >>> ssl-certificate-intranetssl.html?ap=ce046 >>> Ref.:http://support.godaddy.com/help/article/6935/phasing- >>> out-intranet-names-and-ip-addresses-in-ssls >>> >>> Hope it helps >>> >>> :) >>> >>> Richard >>> >>> >>> >>> On Thu, Jan 16, 2014 at 2:12 PM, Keith Planer <[email protected]> wrote: >>> >>>> I understand this link might have some guidance for me, but the link is >>>> down: http://www.web2py.com/AlterEgo/default/show/140 >>>> >>>> -- >>>> Resources: >>>> - http://web2py.com >>>> - http://web2py.com/book (Documentation) >>>> - http://github.com/web2py/web2py (Source code) >>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "web2py-users" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> >>>> For more options, visit https://groups.google.com/groups/opt_out. >>>> >>> >>> -- >> Resources: >> - http://web2py.com >> - http://web2py.com/book (Documentation) >> - http://github.com/web2py/web2py (Source code) >> - https://code.google.com/p/web2py/issues/list (Report Issues) >> --- >> You received this message because you are subscribed to the Google Groups >> "web2py-users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> > > -- > Resources: > - http://web2py.com > - http://web2py.com/book (Documentation) > - http://github.com/web2py/web2py (Source code) > - https://code.google.com/p/web2py/issues/list (Report Issues) > --- > You received this message because you are subscribed to the Google Groups > "web2py-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
