diff options
Diffstat (limited to 'share')
-rw-r--r-- | share/junkCA/Certificate commands OpenSSL.txt | 164 |
1 files changed, 82 insertions, 82 deletions
diff --git a/share/junkCA/Certificate commands OpenSSL.txt b/share/junkCA/Certificate commands OpenSSL.txt index 0167ee1..2ae6963 100644 --- a/share/junkCA/Certificate commands OpenSSL.txt +++ b/share/junkCA/Certificate commands OpenSSL.txt | |||
@@ -1,82 +1,82 @@ | |||
1 | To generate a cert request and sign it with the JunkCA | 1 | To generate a cert request and sign it with the JunkCA |
2 | 2 | ||
3 | REMEMBER TO APPEND THE CA2.pem file to the bottom of the app_settings/CA.pem in the Linden client folders or you won't be able to connect! | 3 | REMEMBER TO APPEND THE CA2.pem file to the bottom of the app_settings/CA.pem in the Linden client folders or you won't be able to connect! |
4 | 4 | ||
5 | Generate a Host Key: | 5 | Generate a Host Key: |
6 | openssl genrsa -out host.key 2048 | 6 | openssl genrsa -out host.key 2048 |
7 | 7 | ||
8 | Generate a Certificate signing request with *OpenSSL*: | 8 | Generate a Certificate signing request with *OpenSSL*: |
9 | openssl req -new -nodes -key host.key -out host.csr | 9 | openssl req -new -nodes -key host.key -out host.csr |
10 | When prompted for: 'Common Name (eg, YOUR name) []:', please type the domain name that this certificate will be used on. | 10 | When prompted for: 'Common Name (eg, YOUR name) []:', please type the domain name that this certificate will be used on. |
11 | 11 | ||
12 | Or you could; | 12 | Or you could; |
13 | 13 | ||
14 | Generate a Certificate request with the *IIS Snapin*: | 14 | Generate a Certificate request with the *IIS Snapin*: |
15 | Go to Control Panel ---> Administrative tools ---> Internet Information Services | 15 | Go to Control Panel ---> Administrative tools ---> Internet Information Services |
16 | Pick a web site on your server. | 16 | Pick a web site on your server. |
17 | right click, choose properties from the context menu | 17 | right click, choose properties from the context menu |
18 | Go to the Directory Security tab | 18 | Go to the Directory Security tab |
19 | Click On the 'Server Certificate...' button | 19 | Click On the 'Server Certificate...' button |
20 | Click 'Prepare the request now, but send it later' and then follow the wizard. | 20 | Click 'Prepare the request now, but send it later' and then follow the wizard. |
21 | Be sure to type the common name as the domain name that you will be servicing. www.osgrid.org or whatever server will be using this cert | 21 | Be sure to type the common name as the domain name that you will be servicing. www.osgrid.org or whatever server will be using this cert |
22 | 22 | ||
23 | Sign the certificate request with the junkCA; | 23 | Sign the certificate request with the junkCA; |
24 | openssl x509 -req -days 3620 -CA CA.crt -CAkey CA.key -CAcreateserial -in host.csr -out signed.cer | 24 | openssl x509 -req -days 3620 -CA CA.crt -CAkey CA.key -CAcreateserial -in host.csr -out signed.cer |
25 | 25 | ||
26 | Import it into your MY store on windows. | 26 | Import it into your MY store on windows. |
27 | 27 | ||
28 | If you used OpenSSL to generate the certificate; | 28 | If you used OpenSSL to generate the certificate; |
29 | openssl pkcs12 -export -in server.crt -inkey server.key.unsecure -out server.pfx -name "My Lovely Cert" | 29 | openssl pkcs12 -export -in server.crt -inkey server.key.unsecure -out server.pfx -name "My Lovely Cert" |
30 | server.crt is the signed cert from the CA. | 30 | server.crt is the signed cert from the CA. |
31 | server.key.unsecure is the *unencrypted* private key. | 31 | server.key.unsecure is the *unencrypted* private key. |
32 | 32 | ||
33 | You will be asked for a password, set this if you want. | 33 | You will be asked for a password, set this if you want. |
34 | 34 | ||
35 | In Windows, fire up "mmc", add the certificates Snap-in, set it to manage the local computer. Go to personal certificates folder, import server.pfx, enter password if you gave it one earlier. | 35 | In Windows, fire up "mmc", add the certificates Snap-in, set it to manage the local computer. Go to personal certificates folder, import server.pfx, enter password if you gave it one earlier. |
36 | 36 | ||
37 | In IIS, get it to let you choose from currently installed certs. You should now be able to choose the one you just installed. | 37 | In IIS, get it to let you choose from currently installed certs. You should now be able to choose the one you just installed. |
38 | 38 | ||
39 | If you used the IIS Snap-in, | 39 | If you used the IIS Snap-in, |
40 | Go to Control Panel ---> Administrative tools ---> Internet Information Services | 40 | Go to Control Panel ---> Administrative tools ---> Internet Information Services |
41 | Pick a web site on your server. | 41 | Pick a web site on your server. |
42 | right click, choose properties from the context menu | 42 | right click, choose properties from the context menu |
43 | Go to the Directory Security tab | 43 | Go to the Directory Security tab |
44 | Click On the 'Server Certificate...' button | 44 | Click On the 'Server Certificate...' button |
45 | Choose the radio button that says, 'Assign an existing certificate' | 45 | Choose the radio button that says, 'Assign an existing certificate' |
46 | 46 | ||
47 | 47 | ||
48 | Mono, you must use httpcfg in the Mono-1.9.1/lib/mono/2.0 folder. | 48 | Mono, you must use httpcfg in the Mono-1.9.1/lib/mono/2.0 folder. |
49 | httpcfg -add -port <TYPE HTTPS PORT> -pvk <TYPE PRIVATE KEY FILE> -cert MyCert | 49 | httpcfg -add -port <TYPE HTTPS PORT> -pvk <TYPE PRIVATE KEY FILE> -cert MyCert |
50 | 50 | ||
51 | After that, make sure to set-up your opensim.ini! | 51 | After that, make sure to set-up your opensim.ini! |
52 | 52 | ||
53 | 53 | ||
54 | OpenSSL can be found: | 54 | OpenSSL can be found: |
55 | http://www.slproweb.com/products/Win32OpenSSL.html | 55 | http://www.slproweb.com/products/Win32OpenSSL.html |
56 | 56 | ||
57 | httpcfg.exe for windowsXP can be found: | 57 | httpcfg.exe for windowsXP can be found: |
58 | http://www.microsoft.com/downloads/details.aspx?FamilyID=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en | 58 | http://www.microsoft.com/downloads/details.aspx?FamilyID=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en |
59 | 59 | ||
60 | Windows Vista users need to use netsh http! | 60 | Windows Vista users need to use netsh http! |
61 | 61 | ||
62 | --------------------------------------------------- | 62 | --------------------------------------------------- |
63 | 63 | ||
64 | Additional notes | 64 | Additional notes |
65 | 65 | ||
66 | To create your own CA | 66 | To create your own CA |
67 | 67 | ||
68 | openssl genrsa -out yourCA.key 2048 | 68 | openssl genrsa -out yourCA.key 2048 |
69 | openssl req -new -key yourCA.key -x509 -days 3620 -out yourCA.crt | 69 | openssl req -new -key yourCA.key -x509 -days 3620 -out yourCA.crt |
70 | 70 | ||
71 | and the final step.. (AND THIS IS IMPORTANT) | 71 | and the final step.. (AND THIS IS IMPORTANT) |
72 | 72 | ||
73 | openssl x509 -in CA.crt -out yourCA.pem -outform PEM | 73 | openssl x509 -in CA.crt -out yourCA.pem -outform PEM |
74 | 74 | ||
75 | The last step will produce a certificate in the PEM format that you can append to the Linden client's app_settings/CA.pem file | 75 | The last step will produce a certificate in the PEM format that you can append to the Linden client's app_settings/CA.pem file |
76 | so that it can validate certificates that are generated from your CA. | 76 | so that it can validate certificates that are generated from your CA. |
77 | 77 | ||
78 | One last important thing! | 78 | One last important thing! |
79 | 79 | ||
80 | All users that connect with linden clients | 80 | All users that connect with linden clients |
81 | using SSL NEED the pem file you created in that last step appended to theirs, or their client will give them a weird error about | 81 | using SSL NEED the pem file you created in that last step appended to theirs, or their client will give them a weird error about |
82 | their clock being wrong! | 82 | their clock being wrong! |