openssl scripts

Summary:
Have you LOOKED at the prices for buying an SSL certificate from VeriSign or some of the other bozos? It's gotten totally ridiculous and WAY out of hand. So, I've setup my own CA (Certificate Authority) using OpenSSL to create certificates for whatever, whevener I need.

Syntax:
This is the raw syntax. Explanations come later.

One time only - create CA certificate

# cd ssl.scripts
# ./0createkey.sh ../ssl.key/ca.key
# ./1createcsr.sh ../ssl.key/ca.key ../ssl.csr/ca.csr
# vi signCAcsr.cnf     #you probbably want to change this config stuff
# ./2signCAcsr.sh ../ssl.key/ca.key ../ssl.csr/ca.csr ../ssl.crt/ca.crt
# ./3encryptkey.sh ../ssl.key/ca.key

Every other time - generate server SSL certificate

# cd ssl.scripts
# ./0createkey.sh ../ssl.key/foo.key
# ./1createcsr.sh ../ssl.key/foo.key ../ssl.csr/foo.csr
# vi signcsr.cnf     		#you probbably want to change this config stuff the first time
# echo "01" > signcsr.serial	#once again, only the first time!
# ./2signcsr.sh ../ssl.csr/foo.csr ../ssl.crt/foo.crt
# ./3encryptkey.sh ../ssl.key/foo.key

Explanations:

• .key files are your private keys. Please be careful with them.
• .csr files are your certificate requests. This is where you enter stuff about your server.
• .crt files are your certificates. This is what enables SSL/TLS. Your public key is stored here.

Notes:

• This is based on the default certificate creations done by mod_ssl for apache. It's nothing fancy (that's for SURE) but it does the job.
  
  
• To keep a count of the certificates signed, the "signcsr.serial" MUST be created.
  
  
• The directories that are being used are:

  drwxr-xr-x   2 web      www          512 Feb 10  2001 ssl.crl
  drwxr-xr-x   2 web      www          512 Jul 13 13:23 ssl.crt
  drwxr-xr-x   2 web      www          512 Sep 14  2001 ssl.csr
  drwx------   2 web      www          512 Sep 14  2001 ssl.key
  drwxr-xr-x   2 web      www          512 Feb 10  2001 ssl.prm
  drwx------   2 root     other        512 Jun  4 17:23 ssl.scripts
  

  I suggest that you leave the perms the same way.
  
  
• Once you have your ca.crt file, I suggest you get it to all the clients that intend to use you SSL services. I have found that it's best if you post it on your website as something like "sitename.cacert" and then add the following to your mime.types file:

  application/x-x509-ca-cert      cacert
  application/x-x509-server-cert  scert
  application/x-x509-user-cert    ucert
  application/x-x509-email-cert   ecert
  

  This way not only your CA certificate will be read by your clients, but all other types of certificates as well.
  

Limitations:

• I've never revoked a certificate (ssl.crl for revocation lists) or used DSA parameters (ssl.prm) so you're not going to find anything here about those directories.
  
  
• I've also never had to renew a certifcate yet. However, you might find some help at the Linux Documentation Project
  
  

Source:

• 0createkey.sh
• 1createcsr.sh
• 2signCAcsr.sh
• 2signcsr.sh
• 3encryptkey.sh
• createcsr.cnf
• signCAcsr.cnf
• signcsr.cnf