From ab30c6dc62af2c8d46dafdcdaafcb6e9ec54325a Mon Sep 17 00:00:00 2001 From: Jeff Ames Date: Mon, 15 Sep 2008 14:21:57 +0000 Subject: Update svn properties, minor formatting cleanup, fix a compiler warning. --- share/junkCA/Certificate commands OpenSSL.txt | 164 +++++++++++++------------- 1 file changed, 82 insertions(+), 82 deletions(-) (limited to 'share/junkCA/Certificate commands OpenSSL.txt') diff --git a/share/junkCA/Certificate commands OpenSSL.txt b/share/junkCA/Certificate commands OpenSSL.txt index 0167ee1..2ae6963 100644 --- a/share/junkCA/Certificate commands OpenSSL.txt +++ b/share/junkCA/Certificate commands OpenSSL.txt @@ -1,82 +1,82 @@ -To generate a cert request and sign it with the JunkCA - -REMEMBER TO APPEND THE CA2.pem file to the bottom of the app_settings/CA.pem in the Linden client folders or you won't be able to connect! - -Generate a Host Key: - openssl genrsa -out host.key 2048 - -Generate a Certificate signing request with *OpenSSL*: - openssl req -new -nodes -key host.key -out host.csr - When prompted for: 'Common Name (eg, YOUR name) []:', please type the domain name that this certificate will be used on. - -Or you could; - -Generate a Certificate request with the *IIS Snapin*: - Go to Control Panel ---> Administrative tools ---> Internet Information Services - Pick a web site on your server. - right click, choose properties from the context menu - Go to the Directory Security tab - Click On the 'Server Certificate...' button - Click 'Prepare the request now, but send it later' and then follow the wizard. - Be sure to type the common name as the domain name that you will be servicing. www.osgrid.org or whatever server will be using this cert - -Sign the certificate request with the junkCA; -openssl x509 -req -days 3620 -CA CA.crt -CAkey CA.key -CAcreateserial -in host.csr -out signed.cer - -Import it into your MY store on windows. - - If you used OpenSSL to generate the certificate; - openssl pkcs12 -export -in server.crt -inkey server.key.unsecure -out server.pfx -name "My Lovely Cert" - server.crt is the signed cert from the CA. - server.key.unsecure is the *unencrypted* private key. - - You will be asked for a password, set this if you want. - - In Windows, fire up "mmc", add the certificates Snap-in, set it to manage the local computer. Go to personal certificates folder, import server.pfx, enter password if you gave it one earlier. - - In IIS, get it to let you choose from currently installed certs. You should now be able to choose the one you just installed. - - If you used the IIS Snap-in, - Go to Control Panel ---> Administrative tools ---> Internet Information Services - Pick a web site on your server. - right click, choose properties from the context menu - Go to the Directory Security tab - Click On the 'Server Certificate...' button - Choose the radio button that says, 'Assign an existing certificate' - - -Mono, you must use httpcfg in the Mono-1.9.1/lib/mono/2.0 folder. - httpcfg -add -port -pvk -cert MyCert - -After that, make sure to set-up your opensim.ini! - - -OpenSSL can be found: -http://www.slproweb.com/products/Win32OpenSSL.html - -httpcfg.exe for windowsXP can be found: -http://www.microsoft.com/downloads/details.aspx?FamilyID=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en - -Windows Vista users need to use netsh http! - ---------------------------------------------------- - -Additional notes - -To create your own CA - -openssl genrsa -out yourCA.key 2048 -openssl req -new -key yourCA.key -x509 -days 3620 -out yourCA.crt - -and the final step.. (AND THIS IS IMPORTANT) - -openssl x509 -in CA.crt -out yourCA.pem -outform PEM - -The last step will produce a certificate in the PEM format that you can append to the Linden client's app_settings/CA.pem file -so that it can validate certificates that are generated from your CA. - -One last important thing! - -All users that connect with linden clients -using SSL NEED the pem file you created in that last step appended to theirs, or their client will give them a weird error about -their clock being wrong! +To generate a cert request and sign it with the JunkCA + +REMEMBER TO APPEND THE CA2.pem file to the bottom of the app_settings/CA.pem in the Linden client folders or you won't be able to connect! + +Generate a Host Key: + openssl genrsa -out host.key 2048 + +Generate a Certificate signing request with *OpenSSL*: + openssl req -new -nodes -key host.key -out host.csr + When prompted for: 'Common Name (eg, YOUR name) []:', please type the domain name that this certificate will be used on. + +Or you could; + +Generate a Certificate request with the *IIS Snapin*: + Go to Control Panel ---> Administrative tools ---> Internet Information Services + Pick a web site on your server. + right click, choose properties from the context menu + Go to the Directory Security tab + Click On the 'Server Certificate...' button + Click 'Prepare the request now, but send it later' and then follow the wizard. + Be sure to type the common name as the domain name that you will be servicing. www.osgrid.org or whatever server will be using this cert + +Sign the certificate request with the junkCA; +openssl x509 -req -days 3620 -CA CA.crt -CAkey CA.key -CAcreateserial -in host.csr -out signed.cer + +Import it into your MY store on windows. + + If you used OpenSSL to generate the certificate; + openssl pkcs12 -export -in server.crt -inkey server.key.unsecure -out server.pfx -name "My Lovely Cert" + server.crt is the signed cert from the CA. + server.key.unsecure is the *unencrypted* private key. + + You will be asked for a password, set this if you want. + + In Windows, fire up "mmc", add the certificates Snap-in, set it to manage the local computer. Go to personal certificates folder, import server.pfx, enter password if you gave it one earlier. + + In IIS, get it to let you choose from currently installed certs. You should now be able to choose the one you just installed. + + If you used the IIS Snap-in, + Go to Control Panel ---> Administrative tools ---> Internet Information Services + Pick a web site on your server. + right click, choose properties from the context menu + Go to the Directory Security tab + Click On the 'Server Certificate...' button + Choose the radio button that says, 'Assign an existing certificate' + + +Mono, you must use httpcfg in the Mono-1.9.1/lib/mono/2.0 folder. + httpcfg -add -port -pvk -cert MyCert + +After that, make sure to set-up your opensim.ini! + + +OpenSSL can be found: +http://www.slproweb.com/products/Win32OpenSSL.html + +httpcfg.exe for windowsXP can be found: +http://www.microsoft.com/downloads/details.aspx?FamilyID=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en + +Windows Vista users need to use netsh http! + +--------------------------------------------------- + +Additional notes + +To create your own CA + +openssl genrsa -out yourCA.key 2048 +openssl req -new -key yourCA.key -x509 -days 3620 -out yourCA.crt + +and the final step.. (AND THIS IS IMPORTANT) + +openssl x509 -in CA.crt -out yourCA.pem -outform PEM + +The last step will produce a certificate in the PEM format that you can append to the Linden client's app_settings/CA.pem file +so that it can validate certificates that are generated from your CA. + +One last important thing! + +All users that connect with linden clients +using SSL NEED the pem file you created in that last step appended to theirs, or their client will give them a weird error about +their clock being wrong! -- cgit v1.1