Generating a ssl cert and enabling kssl on a T2000

This is a walk through on how you might want to generate your own ssl certs and and use those with a webserver with kssl on Solaris 10. Start by setting up your own certificates

oaf207# cd /opt/SUNWwbsvr/CA
oaf207# openssl
oaf207# mkdir certs crl newcerts private
oaf207# echo "01" > serial
oaf207# cp /dev/null index.txt
oaf207# cp /etc/sfw/openssl/openssl.cnf .
oaf207# vi openssl.cnf

and change 
dir             = /etc/sfw/openssl      # Where everything is kept
dir             = /opt/SUNWwbsvr/CA
oaf207# openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 \\
> -config openssl.cnf

Generating a 1024 bit RSA private key
....++++++
...++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
------
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:ie
State or Province Name (full name) [Some-State]:dublin
Locality Name (eg, city) []:clontarf
Organization Name (eg, company) [Unconfigured OpenSSL Installation]:sun
Organizational Unit Name (eg, section) []:perf
Common Name (eg, YOUR name) []:testuser
Email Address []:configure_ssl@sun.com

oaf207# openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem -days 365 \\
> -config openssl.cnf

Generating a 1024 bit RSA private key
....++++++
..................++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:ie
State or Province Name (full name) [Some-State]:dublin
Locality Name (eg, city) []:clontarf
Organization Name (eg, company) [Unconfigured OpenSSL Installation]:sun
Organizational Unit Name (eg, section) []:perf
Common Name (eg, YOUR name) []:testuser
Email Address []:configure_ssl@sun.com

oaf207#  openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem

Getting request Private Key
Generating certificate request

oaf207# openssl ca -config openssl.cnf -policy policy_anything -out newcert.pem \\
> -infiles tmp.pem

Using configuration from openssl.cnf
6789:error:0E06D06C:configuration file routines:NCONF_get_string:no value:/on10/build-nd/G10U2B2/usr/src/common/openssl/crypto/conf/conf_lib.c:329:
group=CA_default name=unique_subject
Enter pass phrase for /opt/SUNWwbsvr/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Aug  4 15:08:50 2006 GMT
            Not After : Aug  4 15:08:50 2007 GMT
        Subject:
            countryName               = ie
            stateOrProvinceName       = dublin
            localityName              = clontarf
            organizationName          = sun
            organizationalUnitName    = perf
            commonName                = testuser
            emailAddress              = configure_ssl@sun.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                FC:8D:C6:7C:D5:92:13:45:0E:85:74:8F:E1:3C:C8:89:B2:29:89:17
            X509v3 Authority Key Identifier:
                keyid:6F:DF:38:7D:D1:E7:C6:B5:ED:8D:19:57:13:CC:C4:2F:C0:2E:64:C6
                DirName:/C=ie/ST=dublin/L=clontarf/O=sun/OU=perf/CN=testuser/emailAddress=configure_ssl
@sun.com
                serial:00

Certificate is to be certified until Aug  4 15:08:50 2007 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

oaf207# ksslcfg create -f pem -i `pwd`/newreq.pem -x 8080 -p \\ 
> /opt/SUNWwbsvr/alias/password 443

oaf207# svcs |grep kssl
online         12:17:41 svc:/network/ssl/proxy:kssl-INADDR_ANY-443
oaf207# 
Comments:

Post a Comment:
Comments are closed for this entry.
About

nickyv

Search

Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today