Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Creating a CA in openSUSE

  1. #1
    Join Date
    Jun 2008
    Location
    The Netherlands
    Posts
    1,273

    Default Creating a CA in openSUSE

    Hi All,

    Was wondering if there is a good howto on how to setup or recreate a Certificate Authority. Also generating new certificates and where to place them so Apache will use it (maybe even how to let Apache use different certificates depending on which link has been accessed by the user).

    Doing this in openSUSE is still a bit vague for me..

    I've found an older script here Apache SSL CA Generator - SUSE 10.1. Seems it should work in 11.x but it would be nice to be able to do this using YaST's CA tool.

    SLES handles the CA and certificate generation automatically during install. Wondering how that is done. anyone know if this is based on the same Apache SSL CA Generator script?

    Appreciate your help!

    Cheers,
    Wj
    Have a lot of fun!

  2. #2
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: Creating a CA in openSUSE

    There's an app called tinyca2 which will give you a nice front end to the openssl ops required. Otherwise the documentation that comes with openssl explains everything.

    Remember that the browser will do a reverse lookup on the IP address and compare the result with the name in the cert. So you will need the same name in all the certs. If you run virtual hosts then you will need multiple IP addresses or a wildcard cert, otherwise it will fail that check.

  3. #3
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: Creating a CA in openSUSE

    BTW, don't hold me to this as I haven't thought it out fully yet, but I think you'll find that to use different certs for different parts of a website you'll need virtual hosts, as a SSL connection secures a (virtual) site, not a single transfer. And of course, if your certs are self-signed, you'll have these exception warnings from Firefox for each cert.

  4. #4
    Join Date
    Jun 2008
    Location
    Germany
    Posts
    301

    Default Re: Creating a CA in openSUSE

    Hi,

    I've shortly found accidentally a step by step tutorial on how to create a CA with openssl. Have a look at http://www.suseblog.com/?p=339

    Hope this helps

  5. #5
    Join Date
    Jun 2008
    Location
    The Netherlands
    Posts
    1,273

    Default Re: Creating a CA in openSUSE

    Thanks for the quick replies Ken_yap & Monex!

    @ken_yap: thanks, will be looking into that one.
    Also FYI, there is a YaST module that should also make the CA setup easy (yast2-ca-management). The thing is that if you have to setup a CA from scratch, it's nice to have a step by step guide telling you a bit more about which things to look out for.
    The certificate chain can be a tricky thing to handle, especially if the CA is not setup correctly.

    @Monex: Very nice howto you've got there! I'll be having a good read through that too.

    If I can make a good translation of the steps mentioned using the YaST CA tool, I'll try to put up a guide for it. Seems this should have been documented already.. but can't seem to find any comprehensive info on the tool.. just some loose notes. Might say more about my finding skills though

    Cheers!
    Wj
    Have a lot of fun!

  6. #6
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,130
    Blog Entries
    2

    Default Re: Creating a CA in openSUSE

    Quote Originally Posted by ken_yap View Post
    BTW, don't hold me to this as I haven't thought it out fully yet, but I think you'll find that to use different certs for different parts of a website you'll need virtual hosts, as a SSL connection secures a (virtual) site, not a single transfer. And of course, if your certs are self-signed, you'll have these exception warnings from Firefox for each cert.
    Although that is normally the case, when supported (usually by the client app and most current browsers do) there is the wildcard certificate where the CN is something like

    *.domain.com

    instead of

    hostname.domain.com

    This example is of a certificate which can be used for any Hostname within domain.com

    This kind of certificate can be used in a number of different ways including different Hosts hosting different parts of the same website.

  7. #7
    Join Date
    Jun 2008
    Location
    The Netherlands
    Posts
    1,273

    Default Re: Creating a CA in openSUSE

    Quote Originally Posted by tsu2 View Post
    Although that is normally the case, when supported (usually by the client app and most current browsers do) there is the wildcard certificate where the CN is something like

    *.domain.com
    That would be an interesting one.. But don't browsers always check against the fqdn, meaning the exact domain name?
    Have a lot of fun!

  8. #8
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: Creating a CA in openSUSE

    No, that's the point of the wildcard. The match will be:

    site.domain.com : *.domain.com

    where : means compare. So various FQDNs will match the same certificate.

    However, that's all well if you want to use the certificate for multiple distinct hosts in the domain where distinct means different IP. (Doesn't imply different physical hosts, multiple IPs can be arranged via IP aliases, provided the addresses are available.) But as I understand it, Magic31 wants the other way, to have different areas covered by different certs. That could be costly, if that's what you want and you use commercial certs. If using self-signed certs, you'd have to overcome the browser's caution. I think this can be done by importing the certs ahead of time into the browser.

  9. #9
    Join Date
    Jun 2008
    Location
    The Netherlands
    Posts
    1,273

    Default Re: Creating a CA in openSUSE

    Quote Originally Posted by ken_yap View Post
    No, that's the point of the wildcard. The match will be:

    site.domain.com : *.domain.com

    where : means compare. So various FQDNs will match the same certificate.
    Thanks, ..I never thought of that, as to me the wild card seems to break one of the reasons for using certificates: verifying the host is who it says it is. setting the CN to the fqdn seems more secure.. But I always find this part more a false sense of security rather than an air tight one.

    ... But as I understand it, Magic31 wants the other way, to have different areas covered by different certs. That could be costly, if that's what you want and you use commercial certs. If using self-signed certs, you'd have to overcome the browser's caution. I think this can be done by importing the certs ahead of time into the browser.
    Right on target Ken_yap! For IE it's quite easy to instruct people to import the certificate and be done with the warning message.
    For Firefox (v3) it's even easier as they only have to indicate an exception when first accessing the site.

    I'll be giving all the tips given here a first try on Monday.. will let you know how that goes.
    And again, I want to see how easy the YaST CA tool makes this.

    I don't mind learning the console commands.. but it's always that look I get when trying to share that knowledge with others.. the look says it all... ' ain't there a nice little clicky GUI I can click on and it does this for me...(it's a kind of magic...)? '

    Cheers!
    Wj
    Have a lot of fun!

  10. #10
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: Creating a CA in openSUSE

    Quote Originally Posted by Magic31 View Post
    Thanks, ..I never thought of that, as to me the wild card seems to break one of the reasons for using certificates: verifying the host is who it says it is. setting the CN to the fqdn seems more secure.. But I always find this part more a false sense of security rather than an air tight one.
    Well in this case you are trusting the entire domain rather than one host. The danger would be if someone in-house obtained the private part of the cert and then set up an unauthorised host within the domain that would pass the comparison. The usual sysadmin precautions would be used to prevent this.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •