OT: Looking for advice on SSL certs

Michael Butash michael at butash.net
Thu Mar 13 12:53:08 MST 2014 

It's still encrypted, it's just not "trusted".  I usually do this to ssl 
encrypt a site, but don't care about the cert popup.

If it's something you control the clients (think enterprise AD 
environment), you can always self-sign a ca, push the ca cert to clients 
as a trusted ca (ie. windoze gpo auto-enroll push for cert 
distribution), and you shouldn't get that anymore assuming the CN's are 
valid.  Or just make everyone using it install the CA cert as "trusted", 
even with a self-signed CA cert.  I have a quickie openssl recipe to 
create, see below (for ubuntu, dir's may change for dists):

This is normally now an enterprise cert infrastructure is done, 
specifically NOT using external trusts for internal applications, eap 
for wired/wireless authentication/encryption, or whatever use.

#########
## 2) setup openssl for ca generation of certs for ssl

cd /etc/ssl

sudo vi openssl.cnf

## see appendix for details on what to change
#################################################
## notable changes to /etc/ssl/openssl.cnf

[ CA_default ]

dir             = /etc/ssl        # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                         # several ctificates with same 
subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/certs/ca.local.pem    # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                         # must be commented out to 
leavea V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/ca.local.key    # The private key
RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = US
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = $STATE$

localityName                    = Locality Name (eg, city)
localityName_default            = $SNMPLOCATION$

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Company Organization, Inc.

organizationalUnitName          = Your Organizational Unit Name
organizationalUnitName_default  = Network Planning & Engineering

commonName                      = Common Name (eg, YOUR name)
commonName_max                  = 64

emailAddress                    = Your Email Address
emailAddress_default            = $SNMPCONTACT$
emailAddress_max                = 64

#################################################
## note: find/replace local your dns extension to the host
## find/replace ca01 and netmon01 as appropriate

sudo openssl req -new -x509 -extensions v3_ca -keyout 
./private/ca.local.key -out ./certs/ca.local.pem -days 1461 -config 
./openssl.cnf
sudo openssl req -new -nodes -out ./certs/$HOSTNAME$.$DOMAIN$.csr 
-keyout ./private/$HOSTNAME$.$DOMAIN$.key -config ./openssl.cnf
sudo mkdir newcerts
sudo touch index.txt
sudo vi ./serial
## add to file "100001"
sudo openssl ca -out ./certs/$HOSTNAME$.$DOMAIN$.crt -config 
./openssl.cnf -infiles ./certs/$HOSTNAME$.$DOMAIN$.csr
sudo su -
cd /etc/ssl/private
openssl rsa -in $HOSTNAME$.$DOMAIN$.key -out $HOSTNAME$.$DOMAIN$-clear.key
exit

-mb


On 03/13/2014 11:03 AM, Mark Phillips wrote:
>
> I would like to find an inexpensive (ie really cheap) ssl cert for a 
> project I am working on. I have a self-signed certificate now, and I 
> would like to get rid of the annoying warning messages.
>
> A side question. When I click on "continue" in the warning message, I 
> connect to the site. However, the https in the Chrome browser bar is 
> red and has a slash through it. Does that mean the traffic is not 
> encrypted, or is it just another warning that the cert is not verified?
>
> All I need to do is encrypt the traffic between the browser and 
> server. There is no e-commerce involved. The content contains some 
> sensitive financial info, so I would like to encrypt it.
>
> I googled for cheap certs, and there are many providers, so I have no 
> idea which ones are any good. If you have any experience with a 
> particular provider, pleaser let me know.
>
> Thanks,
>
> Mark
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20140313/9b72bbad/attachment.html>

More information about the PLUG-discuss mailing list