#selle dokumendi tegi Keith Siilats. Viimane versioon on alati #http://www.siilats.com/ca/securitymanual.txt #kopeeri niipalju kui tahad senikaua kuni need esimesed neli rida alles jatad ja #koik muudatused ka keith@siilats.com mailid #overview: you are going to generate two certificates, one through xenroll.dll with IE5 from #verisign and the other, a free one by your own certification authority using www.openssl.org # abix on ka koik pkc manual paged http://www.openssl.org/docs/apps/pkcs12.html # http://www.openssl.org/docs/apps/req.html jne ftp ftp.sunsite.org.uk binary cd /Mirrors/ftp.redhat.com/pub/contrib/libc6/i386/ mget openssl* quit rpm -U --force -vv openssl-0.9.5a-1.i386.rpm # or # rpm -i --force -vv openssl-0.9.5a-1.i386.rpm # you should also not try the force option initially # pane sinna faili kindlasti kuupaevaks rohkem kui 365., nimi jms jama ja common name www.ieg.ee #vt et sa oiget openssl.cnf faili parast editeerid, koopia tuleb /var/lib/etc katalogi vi /usr/local/ssl/openssl.cnf export OPENSSL_CONF=/usr/local/ssl/openssl.cnf mkdir /var/lib/ssl/etc cp ../openssl.cnf /var/lib/ssl/etc/ cd misc/ ./CA.pl -help # kui selle korra oled juba valesti teinud siis pead newCA directory ymber nimetama ./CA.pl -newca lynx http://www.openssl.org/docs/apps/CA.pl.html # now is a good time to go in windows to # http://www.siilats.com/ca/getverisign.htm # before doing that make sure you get the high encryption pack from windowsupdate.microsoft.com # and get yourself a test verisign cert # export it to a pfx file with private keys and ftp it over to your unix mv /home/keith/export.pfx /usr/local/ssl/misc/ cd /usr/local/ssl/misc/ #basically here you generate all the real information from your pfx file #hansa requires the certonly.pem file openssl pkcs12 -in export.pfx -clcerts -out private.key -nocerts -nodes openssl pkcs12 -in export.pfx -clcerts -out certonly.pem -nokeys openssl pkcs12 -in export.pfx -clcerts -out keys.pem openssl rsa -in keys.pem -pubout -out pubkey.pem -text openssl rsa -in keys.pem -pubout -out pubkey.pem openssl rsa -in keys.pem -p-text >private.key openssl rsa -in keys.pem -pubout -text>public.key #now you should create a folder and move everything there and set them to non read mkdir verisign mv private.key verisign # etc... chmod o-r -R * # substitute root with whoever you are loged in as chown root.root -R * # ok now its time to create your own certificate, so you wouldnt have to pay verisign cd /usr/local/ssl/misc/ #make sure you set validity to something reasonable and your names etc vi /usr/local/ssl/openssl.cnf export OPENSSL_CONF=/usr/local/ssl/openssl.cnf mkdir /var/lib/ssl/etc cp ../openssl.cnf /var/lib/ssl/etc/ #make sure common name is your server ./CA.pl -newcert #if something goes wrong and you need to redo this you need to delete the previous certificate #in demoCA folder, file: 01.pem and one line in index.txt ./CA.pl -signcert ./CA.pl -pkcs12 # read the http://www.openssl.org/docs/apps/CA.pl.html as to where your files are mkdir myowncerts cp newcert.p12 myowncerts/usercertprivcacert.pfx #hansa tahab seda certnopriv faili openssl pkcs12 -in newcert.p12 -out certnopriv.pem -nokeys cp certnopriv.pem myowncerts/ chown root.root -R * chmod -R o-r * chmod -R o-w * # now ftp everything you have in myowncerts to your windows machine # dobleclick on pfx file, import it both to root and your personal (ie 2 imports) # and send the certnopriv.pem to hansa # if you want you can download www.pgpi.com latest version # then you could also import all your pfx files # you can also import your certification authority files, so that your pgp is a ca # you want to ftp the ca.pfx file over openssl pkcs12 -export -in demoCA/cacert.pem -inkey demoCA/private/cakey.pem -out ca.pfx # in ie the place to look at your certs is tools:internet options:content:certificates # in pgp just use keys:import #finally and most importantly #if you want to use your certificates to get SSL working you need to import them to #HKLOCAL MACHINE. Basically if you doubleclick on a pfx file you need to specify that it goes to local #machine and not let windows figgure it out. #ieg root certifacte authority cer file is at www.siilats.com/ca/iegroot.cer