OT: Looking for advice on SSL certs
Michael Butash
michael at butash.net
Thu Mar 13 12:53:08 MST 2014
It's still encrypted, it's just not "trusted". I usually do this to ssl
encrypt a site, but don't care about the cert popup.
If it's something you control the clients (think enterprise AD
environment), you can always self-sign a ca, push the ca cert to clients
as a trusted ca (ie. windoze gpo auto-enroll push for cert
distribution), and you shouldn't get that anymore assuming the CN's are
valid. Or just make everyone using it install the CA cert as "trusted",
even with a self-signed CA cert. I have a quickie openssl recipe to
create, see below (for ubuntu, dir's may change for dists):
This is normally now an enterprise cert infrastructure is done,
specifically NOT using external trusts for internal applications, eap
for wired/wireless authentication/encryption, or whatever use.
#########
## 2) setup openssl for ca generation of certs for ssl
cd /etc/ssl
sudo vi openssl.cnf
## see appendix for details on what to change
#################################################
## notable changes to /etc/ssl/openssl.cnf
[ CA_default ]
dir = /etc/ssl # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same
subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/certs/ca.local.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to
leavea V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca.local.key # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $STATE$
localityName = Locality Name (eg, city)
localityName_default = $SNMPLOCATION$
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Company Organization, Inc.
organizationalUnitName = Your Organizational Unit Name
organizationalUnitName_default = Network Planning & Engineering
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Your Email Address
emailAddress_default = $SNMPCONTACT$
emailAddress_max = 64
#################################################
## note: find/replace local your dns extension to the host
## find/replace ca01 and netmon01 as appropriate
sudo openssl req -new -x509 -extensions v3_ca -keyout
./private/ca.local.key -out ./certs/ca.local.pem -days 1461 -config
./openssl.cnf
sudo openssl req -new -nodes -out ./certs/$HOSTNAME$.$DOMAIN$.csr
-keyout ./private/$HOSTNAME$.$DOMAIN$.key -config ./openssl.cnf
sudo mkdir newcerts
sudo touch index.txt
sudo vi ./serial
## add to file "100001"
sudo openssl ca -out ./certs/$HOSTNAME$.$DOMAIN$.crt -config
./openssl.cnf -infiles ./certs/$HOSTNAME$.$DOMAIN$.csr
sudo su -
cd /etc/ssl/private
openssl rsa -in $HOSTNAME$.$DOMAIN$.key -out $HOSTNAME$.$DOMAIN$-clear.key
exit
-mb
On 03/13/2014 11:03 AM, Mark Phillips wrote:
>
> I would like to find an inexpensive (ie really cheap) ssl cert for a
> project I am working on. I have a self-signed certificate now, and I
> would like to get rid of the annoying warning messages.
>
> A side question. When I click on "continue" in the warning message, I
> connect to the site. However, the https in the Chrome browser bar is
> red and has a slash through it. Does that mean the traffic is not
> encrypted, or is it just another warning that the cert is not verified?
>
> All I need to do is encrypt the traffic between the browser and
> server. There is no e-commerce involved. The content contains some
> sensitive financial info, so I would like to encrypt it.
>
> I googled for cheap certs, and there are many providers, so I have no
> idea which ones are any good. If you have any experience with a
> particular provider, pleaser let me know.
>
> Thanks,
>
> Mark
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20140313/9b72bbad/attachment.html>
More information about the PLUG-discuss
mailing list