aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/share/junkCA/Certificate commands OpenSSL.txt
diff options
context:
space:
mode:
authorJeff Ames2008-09-15 14:21:57 +0000
committerJeff Ames2008-09-15 14:21:57 +0000
commitab30c6dc62af2c8d46dafdcdaafcb6e9ec54325a (patch)
tree0b8bdea1421e26deabec1ee3bedcf2664124d78d /share/junkCA/Certificate commands OpenSSL.txt
parentFrom: mike pitman <pitman@us.ibm.com> (diff)
downloadopensim-SC-ab30c6dc62af2c8d46dafdcdaafcb6e9ec54325a.zip
opensim-SC-ab30c6dc62af2c8d46dafdcdaafcb6e9ec54325a.tar.gz
opensim-SC-ab30c6dc62af2c8d46dafdcdaafcb6e9ec54325a.tar.bz2
opensim-SC-ab30c6dc62af2c8d46dafdcdaafcb6e9ec54325a.tar.xz
Update svn properties, minor formatting cleanup, fix a compiler warning.
Diffstat (limited to '')
-rw-r--r--share/junkCA/Certificate commands OpenSSL.txt164
1 files changed, 82 insertions, 82 deletions
diff --git a/share/junkCA/Certificate commands OpenSSL.txt b/share/junkCA/Certificate commands OpenSSL.txt
index 0167ee1..2ae6963 100644
--- a/share/junkCA/Certificate commands OpenSSL.txt
+++ b/share/junkCA/Certificate commands OpenSSL.txt
@@ -1,82 +1,82 @@
1To generate a cert request and sign it with the JunkCA 1To generate a cert request and sign it with the JunkCA
2 2
3REMEMBER TO APPEND THE CA2.pem file to the bottom of the app_settings/CA.pem in the Linden client folders or you won't be able to connect! 3REMEMBER TO APPEND THE CA2.pem file to the bottom of the app_settings/CA.pem in the Linden client folders or you won't be able to connect!
4 4
5Generate a Host Key: 5Generate a Host Key:
6 openssl genrsa -out host.key 2048 6 openssl genrsa -out host.key 2048
7 7
8Generate a Certificate signing request with *OpenSSL*: 8Generate a Certificate signing request with *OpenSSL*:
9 openssl req -new -nodes -key host.key -out host.csr 9 openssl req -new -nodes -key host.key -out host.csr
10 When prompted for: 'Common Name (eg, YOUR name) []:', please type the domain name that this certificate will be used on. 10 When prompted for: 'Common Name (eg, YOUR name) []:', please type the domain name that this certificate will be used on.
11 11
12Or you could; 12Or you could;
13 13
14Generate a Certificate request with the *IIS Snapin*: 14Generate a Certificate request with the *IIS Snapin*:
15 Go to Control Panel ---> Administrative tools ---> Internet Information Services 15 Go to Control Panel ---> Administrative tools ---> Internet Information Services
16 Pick a web site on your server. 16 Pick a web site on your server.
17 right click, choose properties from the context menu 17 right click, choose properties from the context menu
18 Go to the Directory Security tab 18 Go to the Directory Security tab
19 Click On the 'Server Certificate...' button 19 Click On the 'Server Certificate...' button
20 Click 'Prepare the request now, but send it later' and then follow the wizard. 20 Click 'Prepare the request now, but send it later' and then follow the wizard.
21 Be sure to type the common name as the domain name that you will be servicing. www.osgrid.org or whatever server will be using this cert 21 Be sure to type the common name as the domain name that you will be servicing. www.osgrid.org or whatever server will be using this cert
22 22
23Sign the certificate request with the junkCA; 23Sign the certificate request with the junkCA;
24openssl x509 -req -days 3620 -CA CA.crt -CAkey CA.key -CAcreateserial -in host.csr -out signed.cer 24openssl x509 -req -days 3620 -CA CA.crt -CAkey CA.key -CAcreateserial -in host.csr -out signed.cer
25 25
26Import it into your MY store on windows. 26Import it into your MY store on windows.
27 27
28 If you used OpenSSL to generate the certificate; 28 If you used OpenSSL to generate the certificate;
29 openssl pkcs12 -export -in server.crt -inkey server.key.unsecure -out server.pfx -name "My Lovely Cert" 29 openssl pkcs12 -export -in server.crt -inkey server.key.unsecure -out server.pfx -name "My Lovely Cert"
30 server.crt is the signed cert from the CA. 30 server.crt is the signed cert from the CA.
31 server.key.unsecure is the *unencrypted* private key. 31 server.key.unsecure is the *unencrypted* private key.
32 32
33 You will be asked for a password, set this if you want. 33 You will be asked for a password, set this if you want.
34 34
35 In Windows, fire up "mmc", add the certificates Snap-in, set it to manage the local computer. Go to personal certificates folder, import server.pfx, enter password if you gave it one earlier. 35 In Windows, fire up "mmc", add the certificates Snap-in, set it to manage the local computer. Go to personal certificates folder, import server.pfx, enter password if you gave it one earlier.
36 36
37 In IIS, get it to let you choose from currently installed certs. You should now be able to choose the one you just installed. 37 In IIS, get it to let you choose from currently installed certs. You should now be able to choose the one you just installed.
38 38
39 If you used the IIS Snap-in, 39 If you used the IIS Snap-in,
40 Go to Control Panel ---> Administrative tools ---> Internet Information Services 40 Go to Control Panel ---> Administrative tools ---> Internet Information Services
41 Pick a web site on your server. 41 Pick a web site on your server.
42 right click, choose properties from the context menu 42 right click, choose properties from the context menu
43 Go to the Directory Security tab 43 Go to the Directory Security tab
44 Click On the 'Server Certificate...' button 44 Click On the 'Server Certificate...' button
45 Choose the radio button that says, 'Assign an existing certificate' 45 Choose the radio button that says, 'Assign an existing certificate'
46 46
47 47
48Mono, you must use httpcfg in the Mono-1.9.1/lib/mono/2.0 folder. 48Mono, you must use httpcfg in the Mono-1.9.1/lib/mono/2.0 folder.
49 httpcfg -add -port <TYPE HTTPS PORT> -pvk <TYPE PRIVATE KEY FILE> -cert MyCert 49 httpcfg -add -port <TYPE HTTPS PORT> -pvk <TYPE PRIVATE KEY FILE> -cert MyCert
50 50
51After that, make sure to set-up your opensim.ini! 51After that, make sure to set-up your opensim.ini!
52 52
53 53
54OpenSSL can be found: 54OpenSSL can be found:
55http://www.slproweb.com/products/Win32OpenSSL.html 55http://www.slproweb.com/products/Win32OpenSSL.html
56 56
57httpcfg.exe for windowsXP can be found: 57httpcfg.exe for windowsXP can be found:
58http://www.microsoft.com/downloads/details.aspx?FamilyID=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en 58http://www.microsoft.com/downloads/details.aspx?FamilyID=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en
59 59
60Windows Vista users need to use netsh http! 60Windows Vista users need to use netsh http!
61 61
62--------------------------------------------------- 62---------------------------------------------------
63 63
64Additional notes 64Additional notes
65 65
66To create your own CA 66To create your own CA
67 67
68openssl genrsa -out yourCA.key 2048 68openssl genrsa -out yourCA.key 2048
69openssl req -new -key yourCA.key -x509 -days 3620 -out yourCA.crt 69openssl req -new -key yourCA.key -x509 -days 3620 -out yourCA.crt
70 70
71and the final step.. (AND THIS IS IMPORTANT) 71and the final step.. (AND THIS IS IMPORTANT)
72 72
73openssl x509 -in CA.crt -out yourCA.pem -outform PEM 73openssl x509 -in CA.crt -out yourCA.pem -outform PEM
74 74
75The last step will produce a certificate in the PEM format that you can append to the Linden client's app_settings/CA.pem file 75The last step will produce a certificate in the PEM format that you can append to the Linden client's app_settings/CA.pem file
76so that it can validate certificates that are generated from your CA. 76so that it can validate certificates that are generated from your CA.
77 77
78One last important thing! 78One last important thing!
79 79
80All users that connect with linden clients 80All users that connect with linden clients
81using SSL NEED the pem file you created in that last step appended to theirs, or their client will give them a weird error about 81using SSL NEED the pem file you created in that last step appended to theirs, or their client will give them a weird error about
82their clock being wrong! 82their clock being wrong!