1. Enable SSL.
sudo a2enmod ssl
2. Generate a private key without a passphrase,
openssl genrsa -out server.key 1024
or with a passphrase.
openssl genrsa -des3 -out server.key 1024
3. Create a certificate signing request.
openssl req -new -key server.key -out server.csr
4. Sign it yourself.
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
5. Copy your new certificate and keys to the appropriate places.
sudo cp server.crt /etc/ssl/certs
sudo cp server.key /etc/ssl/private
6. Edit your apache site configuration, add these lines into a VirtualHost section.
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /etc/ssl/certs/server.crt
7. Create a certificate which you can give to a client, or a group of clients.
openssl pkcs12 -export -out client_cert.pfx -in server.crt -inkey server.key\
-name 'Certificate Name'
8. Make sure the client gets the client_cert.pfx file, which they install into their browser.
9. To use the client_certificate.pfx in a python httplib or httplib2, it needs to be split into a key and certificate file.
openssl pkcs12 -clcerts -nokeys -in client_cert.pfx -out client_cert.pem
openssl pkcs12 -nocerts -in client_cert.pfx -out client_key.pem
10. Strip the pass phrase from client_key.pem so Python does not prompt for a pass phrase!
openssl rsa -in client_key.pem -out unsecured_client_key.pem
3 comments:
And then, 6 days later you need to do it all again :) : http://www.ubuntu.com/usn/USN-612-1
To make it so Apache does not always ask for a password on restart, do the following in terminal:
(4a) openssl rsa -in server.key -out server.key.insecure
(4b) mv server.key server.key.secure
(4c) mv server.key.insecure server.key
This is NOT TLS-PSK (pre shared key)
as specified in RFC 4279,
but the usage of pre trusted client and server certificates.
PSK is something different.
Post a Comment