s SECURING CONNECTIONS AND REMOTE ADMINISTRATION in Font

Generation DataMatrix in Font s SECURING CONNECTIONS AND REMOTE ADMINISTRATION

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----Country Name (2 letter code) [AU]: State or Province Name (full name) [New South Wales]: Locality Name (eg, city) [Sydney]: Organization Name (eg, company) [puppy.yourdomain.com]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:puppy.yourdomain.com Email Address []:admin@puppy.yourdomain.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: The last two prompts are for extra information. The first is the provision of a challenge password. The challenge password is optionally used to authenticate the process of certificate revocation. Certificate revocation allows you to revoke the validity of a particular certificate, and I will cover that briefly shortly. In most cases you can simply leave this blank by hitting Enter. You can also leave the second optional company name blank. In Listing 3-5 you could also have used the -nodes option to create the certificate and private key. This tells OpenSSL not to secure the certificate with a passphrase. This allows you to use the certificate for authenticating services such as the Simple Mail Transfer Protocol (SMTP), which have no scope to enter a passphrase, and a connection would simply hang waiting for the passphrase to be entered. Listing 3-5 will create two files, puppy.yourdomain.com.key.pem and puppy.yourdomain.com.csr. These files consist of a key file for your system and a certificate request for your system. With these files, now the final stage of your certificate creation is to sign the certificate request using your new CA. In the event you used a commercial CA, this is the point at which you would submit the puppy.yourdomain.com.csr certificate request to the commercial CA for signing. Since you are using your own CA, you continue onto the signing stage on your local system. You can see this stage in Listing 3-6. Listing 3-6. Signing Your Certificate Request puppy# openssl ca -config /etc/ssl/certs/puppyCA/openssl.cnf -policy policy_anything -out puppy.yourdomain.com.cert.pem -infiles puppy.yourdomain.com.csr Using configuration from /etc/ssl/certs/puppyCA/openssl.cnf Enter pass phrase for /etc/ssl/certs/puppyCA/private/cakey.pem: Check that the request matches the signature Signature ok

Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Jun 19 02:35:17 2004 GMT Not After : Jun 19 02:35:17 2005 GMT Subject: countryName = AU stateOrProvinceName = New South Wales localityName = Sydney organizationName = puppy.yourdomain.com commonName = puppy.yourdomain.com emailAddress = admin@puppy.yourdomain.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 7A:D2:26:2C:D2:19:79:F9:5E:51:53:2C:9E:89:1E:94:48:F5:DA:A2 X509v3 Authority Key Identifier: keyid:50:27:56:92:74:26:FC:F1:3D:18:75:8D:49:D2:85:06:EA:15:C2:4E DirName:/C=AU/ST=New South Wales/L=Sydney/O=ABC Enterprises Pty Ltd/CN=James Turnbull/emailAddress=root@puppy.yourdomain.com serial:00 Certificate is to be certified until Jun 19 02:35:17 2005 GMT (365 days) Sign the certificate [y/n]:y 1 out of 1 certificate requests certified, commit [y/n]y Write out database with 1 new entries Data Base Updated This will output a final file called puppy.yourdomain.com.cert.pem, which is your certificate file. You can now delete the certificate request file, puppy.yourdomain.com.csr.

s Note You can use whatever naming convention you like for your certificates, keys, and requests. I just use the previous convention because it represents a simple way to identify all of your SSL components and to what system they belong.

Finally, change the permissions of the puppyCA directory and of the files in the directory to ensure they are more secure. puppy# puppy# puppy# puppy# cd /etc/ssl chmod 0755 certs cd certs chmod -R 0400 *

Now you have your first set of keys and certificates and can use them to secure your TLS connections.