projects / blog.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Add GnuTLS and secure LDAP information.
[blog.git] / posts / X.509_certificates.mdwn
diff --git a/posts/X.509_certificates.mdwn b/posts/X.509_certificates.mdwn
index 02a8a4dd9e2be46efb796e7a25485b549d1da29b..f683df2974be7906ad29b00160e096e85ae89932 100644 (file)
--- a/posts/X.509_certificates.mdwn
+++ b/posts/X.509_certificates.mdwn
@@ -1,8 +1,47 @@
 If you're running your own server, your probably not shelling out $400
 to get an "official" Certificate Authority to sign your key.  Here's a
 quick not to myself about how to create and sign your own key.
+Depending on your application, you can use either the [[GnuTLS]] or
+[OpenSSL][] toolchain.
 
-Use [openssl][]'s [genpkey][] to generate an *unencrypted* public key.
+GnuTLS
+------
+
+Following the [GnuTLS manual][gnutls-manual], create a certificate
+authority with [certtool][], adjusting the `cn` as you see fit:
+
+    $ certtool --generate-privkey > x509-ca-key.pem
+    $ echo 'cn = GnuTLS test CA' > ca.tmpl
+    $ echo 'ca' >> ca.tmpl
+    $ echo 'cert_signing_key' >> ca.tmpl
+    $ certtool --generate-self-signed --load-privkey x509-ca-key.pem \
+        --template ca.tmpl --outfile x509-ca.pem
+
+Now generate the *unencrypted* server key.
+
+    $ certtool --generate-privkey > x509-server-key.pem
+
+And sign the key with your CA, adjusting the `cn` as you see fit, and
+changing `dns_name` to match your fully qualified host name.
+
+    $ echo 'organization = GnuTLS test server' > server.tmpl
+    $ echo 'cn = test.gnutls.org' >> server.tmpl
+    $ echo 'tls_www_server' >> server.tmpl
+    $ echo 'encryption_key' >> server.tmpl
+    $ echo 'signing_key' >> server.tmpl
+    $ echo 'dns_name = test.gnutls.org' >> server.tmpl
+    $ certtool --generate-certificate --load-privkey x509-server-key.pem \
+        --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
+        --template server.tmpl --outfile x509-server.pem
+
+You can also print certificates with [certtool][].
+
+    $ certtool --infile x509-server.pem --certificate-info
+
+OpenSSL
+-------
+
+Use [openssl][]'s [genpkey][] to generate an *unencrypted* key.
 
     $ openssl genpkey -algorithm RSA -out key.pem
 
@@ -30,7 +69,9 @@ You can also print certificates with [x509][].
 
     $ openssl x509 -in cert.pem -noout -text
 
-[openssl]: http://www.openssl.org/docs/apps/openssl.html
+[gnutls-manual]: http://www.gnu.org/software/gnutls/manual/html_node/Invoking-gnutls_002dserv.html
+[certtool]: http://www.gnu.org/software/gnutls/manual/html_node/Invoking-certtool.html#Invoking-certtool
+[OpenSSL]: http://www.openssl.org/docs/apps/openssl.html
 [genpkey]: http://www.openssl.org/docs/apps/genpkey.html
 [req]: http://www.openssl.org/docs/apps/req.html
 [x509]: http://www.openssl.org/docs/apps/x509.html
"unfolding disasters" ikiwiki blog.