Changes

From Amahi Wiki
Jump to: navigation, search
259 bytes removed ,  12:48, 31 October 2018
'''NOTE:''' Leaving defaults will not make your server less secure. Make sure that you change "asecretpassword" in the commands below to something else. Otherwise any commands which don't have "asecretpassword" in it can be copied and pasted. This has to do with the challenge password for the private key. If you don't understand what I mean then you should read about [http://en.wikipedia.org/wiki/Public-key_cryptography public-key cryptography] which is essentially what SSL uses.
1. Create a sub-folder As of '''/etc/httpd/''' called '''ssl.crt'''<pre><nowiki>mkdir /etc/httpd/ssl.crt</nowiki></pre>2. Generate a new Secure key fileChrome version 58, called server.key.org, and output the file Chrome browser requires SSL certificates to /etc/httpd/ssl.crt use SAN (our newly created folderSubject Alternative Name) '''**REMEMBER TO CHANGE "asecretpassword" TO A PASSWORD OF YOUR CHOICE**'''. <pre><nowiki>openssl genrsa -des3 -passout pass:asecretpassword -out /etc/httpd/ssl.crt/server.key.org 1024</nowiki></pre>The output should look something like:{{META_BOX_Green||Generating RSA private key, 1024 bit long modulus<br>.........++++++<br>....++++++<br>e is 65537 (0x10001)}}3. Create server.crt and server.csr from our newly self-generated key has removed Common Name (server.key.orgCN):<pre><nowiki>openssl req -new -passin pass:asecretpassword -passout pass:asecretpassword -key /etc/httpd/ssl.crt/server.key.org -out /etc/httpd/ssl.crt/server.csr -days 3650openssl req -x509 -passin pass:asecretpassword -passout pass:asecretpassword -key /etc/httpd/ssl.crt/server.key.org -in /etc/httpd/ssl.crt/server.csr -out /etc/httpd/ssl.crt/server.crt -days 3650</nowiki></pre>The output of these files will look something like:{{META_BOX_Green||You are about to be asked to enter information that will be incorporated<br>into your certificate request.<br>What you are about to enter is what is called a Distinguished Name or Using a DN.<br>There are quite a few fields but you can leave some blank<br>For some fields there CN will be a default value,<br>If you enter '.', produce an error within the field will be left blank.<br><nowiki>-----</nowiki><br>Country Name (2 letter code) [XX]:<br>State or Province Name (full name) [ ]:<br>Locality Name (eg, city) [Default City]:<br>Organization Name (eg, company) [Default Company Ltd]:<br>Organizational Unit Name (eg, Security Overview section) [ ]:<br>Common Name (egof the certificate, your name or your server's hostname) [ ]:<br>Email Address [ ]:<br><br>Please enter telling the user that the following 'extra' attributes<br>to be sent with your certificate request<br>SAN is missing. A challenge password [ ]:An optional company name [ ]:}}You should make entries at each stage in new method of creating the second section (after Country Name...)certificate is required.
41. Change directory to /etc/httpd/, and switch users <pre><nowiki>cd /etc/httpd/sudo -s</nowiki></pre> 2. Create a thrid new filecreateselfsignedcertificate.sh using vi, nano, serveror your favorite text editor. <pre><nowiki>#!/usr/bin/env bashmkdir ~/ssl/openssl genrsa -des3 -out ~/ssl/rootCA.key, from from our self2048openssl req -x509 -new -nodes -generated key (server~/ssl/rootCA.key-sha256 -days 1024 -out ~/ssl/rootCA.org)pem</nowiki></pre> 3. Now create another file createselfsignedcertificate.sh: <pre><nowiki>#!/usr/bin/env bashmkdir /etc/httpd/ssl.crtmkdir /etc/httpd/ssl.keysudo openssl req -new -sha256 -nodes -out /etc/httpd/ssl.crt/server.csr -newkey rsa :2048 -passin pass:asecretpassword keyout /etc/httpd/ssl.crt/server.key -config <( cat /etc/httpd/server.csr.cnf )sudo openssl x509 -req -in /etc/httpd/ssl.crt/server.csr -CA ~/ssl/rootCA.pem -CAkey ~/ssl/rootCA.key.org -CAcreateserial -out /etc/httpd/ssl.crt/server.keycrt -days 3650 -sha256 -extfile v3.ext</n</nowiki></pre>54. Create another subthe configuration file server.csr.snf. <pre><nowiki>[req]default_bits = 2048prompt = nodefault_md = sha256distinguished_name = dn [dn]C=USST=MarylandL=AnapolisO=Home AdministratorOU=HDA DomainemailAddress=your-address@your-folder of '''domain.comCN = localhost</etcnowiki></httpd/''' pre> 5. Now, create a file called '''sslv3.key'''ext for the x509 v3 certificate <pre><nowiki>authorityKeyIdentifier=keyid,issuerbasicConstraints=CA:FALSEkeyUsage = digitalSignature, nonRepudiation, keyEncipherment, and move our newly created serverdataEnciphermentsubjectAltName = @alt_names [alt_names]DNS.1 = localhostDNS.2 = hdaDNS.3 = hda.yourdomainDNS.4 = cockpit.yourdomain</nowiki></pre> 6.key Now it's time to this foldercreate your certificates. Run createRootCA.sh. Follow the prompts <pre><nowiki>bash ./createRootCA.sh</nowiki></pre> Then createselfsignedcertificate.sh <pre><nowiki>mkdir bash ./etccreateselfsignedcertificate.sh</httpdnowiki></pre> 5. Copy your newly created server.key to the ssl.keydirectory.<pre><nowiki>mv cp /etc/httpd/ssl.crt/server.key /etc/httpd/ssl.key/server.key
chmod 400 /etc/httpd/ssl.key/server.key</nowiki></pre>
12

edits