Archives / Search ›

Updating certificates

Evening at Adler was smaller and more intimate than I expected; the few photos I took are on Flickr. The last week has been rather busy, but in a good way—I’m getting work done. Paper revision is about 99% done, hopefully will be finished today, and I got Abe Fettig’s new Twisted book yesterday, which looks good so far. The annoying DSL outages at my parents’ place that started last week appear to be resolved, though it was an excuse to clean up my Nagios configuration, and get Cacti and Smokeping set up for some additional monitoring. Smokeping is extremely cool and easy to set up on Debian; I’m not sure why I hadn’t heard of it before.

Like many people, I run a bunch of private services for family, and we have our own certificate authority (CA) for SSL access to Web sites, mail, and so forth. When I’m home at Thanksgiving, as part of a larger transition to Mac OS X Server, I’ll probably move at least mail to Kerberos, which doesn’t require all the PKI stuff, but has its own problems.

Every year when Nagios starts bugging me that certificates are about to expire, I end up spending hours tracking down the right way to create a CA, sign certificates, install them, and so forth; for tools that are as widely used as they are, openssl and friends are not particularly user-friendly or flexible.

So, in an effort to save time next year, here’s what I came up with. Before doing the first few steps, you should edit /etc/ssl/openssl.cnf to include sane defaults appropriate to your site.

  • Create a new CA:
    # cd /etc/ssl
    # /usr/lib/ssl/misc/ -newca
    Accept defaults, except: 
    Organizational Unit Name (eg, section) []:Certificate Authority
    Common Name (eg, YOUR name) []:Rileys CA
    Email Address []
    # mv demoCA rileysCA
  • Create and sign a certificate request:
    # /usr/lib/ssl/misc/ -newreq
    Accept defaults, except:
    Email Address []
    # /usr/lib/ssl/misc/ -signreq
    # install -m 644 newcert.pem /etc/apache/ssl.crt/mail-server.crt
  • Remove the passphrase on the certificate; extract the private key
    # openssl rsa -in newreq.pem -out /etc/apache/ssl.key/mail-server.key
  • Restart Apache (note that “restart” won’t pull in the new certificate)
    # /etc/init.d/apache stop
    # /etc/init.d/apache start
  • Remove the CSR, it’s no longer needed
    # rm newreq.pem
  • Copy the CA cert to
    # scp /etc/ssl/rileysCA/cacert.pem nicholas@arnold:/var/www/
    # ssh nicholas@arnold chmod 644 /var/www/
  • Add the CA cert to the Macs
    % curl -O

    On Tiger:

    % sudo certtool i cacert.pem v k=/System/Library/Keychains/X509Anchors

    On Leopard, the above command returns a warning and is ineffective. Instead use:

    % sudo security add-trusted-cert -d -k /Library/Keychains/System.keychain cacert.pem
  • Add the CA cert to the Debian machines (OpenSSL)
    # cd /etc/ssl/certs
    # wget -O rileys-ca.pem
    # chmod 644 rileys-ca.pem
    # update-ca-certificates

Update, February 2007:: Recent versions of Gecko-based browsers (and Thunderbird, etc.) give you a very confusing error message claiming that there’s a duplicate serial number, even if the certificate has only expired. (Since I create a new CA certificate every time, I don’t think this is giving me the right answer). So, you do need to remove the old certificate from the browser’s certificate store before adding the new one.

No comments yet. Be the first.

Leave a reply