1
0

Certificate commands OpenSSL.txt 3.6 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586
  1. To generate a cert request and sign it with the JunkCA
  2. REMEMBER TO APPEND THE CA2.pem file to the bottom of the app_settings/CA.pem in the Linden client folders or you won't be able to connect!
  3. Generate a Host Key:
  4. openssl genrsa -out host.key 2048
  5. Generate a Certificate signing request with *OpenSSL*:
  6. openssl req -new -nodes -key host.key -out host.csr
  7. When prompted for: 'Common Name (eg, YOUR name) []:', please type the domain name that this certificate will be used on.
  8. Or you could;
  9. Generate a Certificate request with the *IIS Snapin*:
  10. Go to Control Panel ---> Administrative tools ---> Internet Information Services
  11. Pick a web site on your server.
  12. right click, choose properties from the context menu
  13. Go to the Directory Security tab
  14. Click On the 'Server Certificate...' button
  15. Click 'Prepare the request now, but send it later' and then follow the wizard.
  16. Be sure to type the common name as the domain name that you will be servicing. www.osgrid.org or whatever server will be using this cert
  17. Sign the certificate request with the junkCA;
  18. openssl x509 -req -days 3620 -CA CA.crt -CAkey CA.key -CAcreateserial -in host.csr -out signed.cer
  19. Import it into your MY store on windows.
  20. If you used OpenSSL to generate the certificate;
  21. openssl pkcs12 -export -in server.crt -inkey server.key.unsecure -out server.pfx -name "My Lovely Cert"
  22. server.crt is the signed cert from the CA.
  23. server.key.unsecure is the *unencrypted* private key.
  24. You will be asked for a password, set this if you want.
  25. In Windows, fire up "mmc", add the certificates Snap-in, set it to manage the local computer. Go to personal certificates folder, import server.pfx, enter password if you gave it one earlier.
  26. In IIS, get it to let you choose from currently installed certs. You should now be able to choose the one you just installed.
  27. If you used the IIS Snap-in,
  28. Go to Control Panel ---> Administrative tools ---> Internet Information Services
  29. Pick a web site on your server.
  30. right click, choose properties from the context menu
  31. Go to the Directory Security tab
  32. Click On the 'Server Certificate...' button
  33. Choose the radio button that says, 'Assign an existing certificate'
  34. Mono, you must use httpcfg in the Mono-1.9.1/lib/mono/2.0 folder.
  35. httpcfg -add -port <TYPE HTTPS PORT> -pvk <TYPE PRIVATE KEY FILE> -cert MyCert
  36. From Lexa:
  37. It expect the key to be in the windows pvk format
  38. pvk -in host.key -nocrypt -out host.pvk -topvk" and use -pvk host.pvk
  39. pvk is a package on FreeBSD that gets installed as part of the Mono installation
  40. After that, make sure to set-up your opensim.ini!
  41. OpenSSL can be found:
  42. http://www.slproweb.com/products/Win32OpenSSL.html
  43. httpcfg.exe for windowsXP can be found:
  44. http://www.microsoft.com/downloads/details.aspx?FamilyID=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en
  45. Windows Vista users need to use netsh http!
  46. ---------------------------------------------------
  47. Additional notes
  48. To create your own CA
  49. openssl genrsa -out yourCA.key 2048
  50. openssl req -new -key yourCA.key -x509 -days 3620 -out yourCA.crt
  51. and the final step.. (AND THIS IS IMPORTANT)
  52. openssl x509 -in CA.crt -out yourCA.pem -outform PEM
  53. The last step will produce a certificate in the PEM format that you can append to the Linden client's app_settings/CA.pem file
  54. so that it can validate certificates that are generated from your CA.
  55. One last important thing!
  56. All users that connect with linden clients
  57. using SSL NEED the pem file you created in that last step appended to theirs, or their client will give them a weird error about
  58. their clock being wrong!