diff options
| author | Teravus Ovares | 2008-09-14 18:39:17 +0000 |
|---|---|---|
| committer | Teravus Ovares | 2008-09-14 18:39:17 +0000 |
| commit | dbbbec48dfbc51f30953d8a46f4fc8f192bd277c (patch) | |
| tree | 218f93b95724e8bdc9a9c6e986268f2101c1eb6e /share/junkCA/Certificate commands OpenSSL.txt | |
| parent | Added some further clipping to color- and alpha-values. (diff) | |
| download | opensim-SC_OLD-dbbbec48dfbc51f30953d8a46f4fc8f192bd277c.zip opensim-SC_OLD-dbbbec48dfbc51f30953d8a46f4fc8f192bd277c.tar.gz opensim-SC_OLD-dbbbec48dfbc51f30953d8a46f4fc8f192bd277c.tar.bz2 opensim-SC_OLD-dbbbec48dfbc51f30953d8a46f4fc8f192bd277c.tar.xz | |
* This update makes configuring SSL a little easier on Windows XP. It also makes it possible to run a HTTPS server on the region. It also has a junk Certification authority for test purposes.
* There are still a lot of things that are hard coded to use http. They need to be fixed.
* Also includes directions
* A standard junk PEM file to append to app_settings/CA.pem in the client so SSL will work
Diffstat (limited to '')
| -rw-r--r-- | share/junkCA/Certificate commands OpenSSL.txt | 82 |
1 files changed, 82 insertions, 0 deletions
diff --git a/share/junkCA/Certificate commands OpenSSL.txt b/share/junkCA/Certificate commands OpenSSL.txt new file mode 100644 index 0000000..0167ee1 --- /dev/null +++ b/share/junkCA/Certificate commands OpenSSL.txt | |||
| @@ -0,0 +1,82 @@ | |||
| 1 | To generate a cert request and sign it with the JunkCA | ||
| 2 | |||
| 3 | REMEMBER TO APPEND THE CA2.pem file to the bottom of the app_settings/CA.pem in the Linden client folders or you won't be able to connect! | ||
| 4 | |||
| 5 | Generate a Host Key: | ||
| 6 | openssl genrsa -out host.key 2048 | ||
| 7 | |||
| 8 | Generate a Certificate signing request with *OpenSSL*: | ||
| 9 | openssl req -new -nodes -key host.key -out host.csr | ||
| 10 | When prompted for: 'Common Name (eg, YOUR name) []:', please type the domain name that this certificate will be used on. | ||
| 11 | |||
| 12 | Or you could; | ||
| 13 | |||
| 14 | Generate a Certificate request with the *IIS Snapin*: | ||
| 15 | Go to Control Panel ---> Administrative tools ---> Internet Information Services | ||
| 16 | Pick a web site on your server. | ||
| 17 | right click, choose properties from the context menu | ||
| 18 | Go to the Directory Security tab | ||
| 19 | Click On the 'Server Certificate...' button | ||
| 20 | Click 'Prepare the request now, but send it later' and then follow the wizard. | ||
| 21 | Be sure to type the common name as the domain name that you will be servicing. www.osgrid.org or whatever server will be using this cert | ||
| 22 | |||
| 23 | Sign the certificate request with the junkCA; | ||
| 24 | openssl x509 -req -days 3620 -CA CA.crt -CAkey CA.key -CAcreateserial -in host.csr -out signed.cer | ||
| 25 | |||
| 26 | Import it into your MY store on windows. | ||
| 27 | |||
| 28 | If you used OpenSSL to generate the certificate; | ||
| 29 | openssl pkcs12 -export -in server.crt -inkey server.key.unsecure -out server.pfx -name "My Lovely Cert" | ||
| 30 | server.crt is the signed cert from the CA. | ||
| 31 | server.key.unsecure is the *unencrypted* private key. | ||
| 32 | |||
| 33 | You will be asked for a password, set this if you want. | ||
| 34 | |||
| 35 | In Windows, fire up "mmc", add the certificates Snap-in, set it to manage the local computer. Go to personal certificates folder, import server.pfx, enter password if you gave it one earlier. | ||
| 36 | |||
| 37 | In IIS, get it to let you choose from currently installed certs. You should now be able to choose the one you just installed. | ||
| 38 | |||
| 39 | If you used the IIS Snap-in, | ||
| 40 | Go to Control Panel ---> Administrative tools ---> Internet Information Services | ||
| 41 | Pick a web site on your server. | ||
| 42 | right click, choose properties from the context menu | ||
| 43 | Go to the Directory Security tab | ||
| 44 | Click On the 'Server Certificate...' button | ||
| 45 | Choose the radio button that says, 'Assign an existing certificate' | ||
| 46 | |||
| 47 | |||
| 48 | Mono, you must use httpcfg in the Mono-1.9.1/lib/mono/2.0 folder. | ||
| 49 | httpcfg -add -port <TYPE HTTPS PORT> -pvk <TYPE PRIVATE KEY FILE> -cert MyCert | ||
| 50 | |||
| 51 | After that, make sure to set-up your opensim.ini! | ||
| 52 | |||
| 53 | |||
| 54 | OpenSSL can be found: | ||
| 55 | http://www.slproweb.com/products/Win32OpenSSL.html | ||
| 56 | |||
| 57 | httpcfg.exe for windowsXP can be found: | ||
| 58 | http://www.microsoft.com/downloads/details.aspx?FamilyID=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en | ||
| 59 | |||
| 60 | Windows Vista users need to use netsh http! | ||
| 61 | |||
| 62 | --------------------------------------------------- | ||
| 63 | |||
| 64 | Additional notes | ||
| 65 | |||
| 66 | To create your own CA | ||
| 67 | |||
| 68 | openssl genrsa -out yourCA.key 2048 | ||
| 69 | openssl req -new -key yourCA.key -x509 -days 3620 -out yourCA.crt | ||
| 70 | |||
| 71 | and the final step.. (AND THIS IS IMPORTANT) | ||
| 72 | |||
| 73 | openssl x509 -in CA.crt -out yourCA.pem -outform PEM | ||
| 74 | |||
| 75 | The last step will produce a certificate in the PEM format that you can append to the Linden client's app_settings/CA.pem file | ||
| 76 | so that it can validate certificates that are generated from your CA. | ||
| 77 | |||
| 78 | One last important thing! | ||
| 79 | |||
| 80 | All users that connect with linden clients | ||
| 81 | using SSL NEED the pem file you created in that last step appended to theirs, or their client will give them a weird error about | ||
| 82 | their clock being wrong! | ||