Re: generating the TLS cert

Wed, 19 Dec 2012 20:59:15 -0800 

On 12/19/2012 6:40 PM, Reindl Harald wrote:


Am 20.12.2012 00:31, schrieb /dev/rob0:


We don't know what you want. What is this certificate to be used for?
Do you want a self-signed certificate, or to run your own CA, or to
submit your CSR to an external CA?

there is no difference between self-signed and submit to external CA
the script below makes crt/csr/pem for any usecase

[root@buildserver:~]$ cat /buildserver/ssl-cert/generate-cert.sh
#!/usr/bin/bash
WORKING_DIR="/buildserver/ssl-cert"
OUT_DIR="$WORKING_DIR/$1"
mkdir $OUT_DIR 2> /dev/null
chmod 700 $OUT_DIR
if [ "$1" == "" ]; then
  echo "Wie soll ich bitte Dateien ohne Servernamen benennen?"
  echo ""
  exit
fi
rm -f $OUT_DIR/$1.key
rm -f $OUT_DIR/$1.csr
rm -f $OUT_DIR/$1.crt
rm -f $OUT_DIR/$1.pem
sed "s/my_common_name/$1/g" $WORKING_DIR/openssl.conf.template > 
$WORKING_DIR/openssl.conf
openssl genrsa -out $OUT_DIR/$1.key 2048
openssl req -config $WORKING_DIR/openssl.conf -new -key $OUT_DIR/$1.key -out 
$OUT_DIR/$1.csr
openssl x509 -req -days 3650 -in $OUT_DIR/$1.csr -signkey $OUT_DIR/$1.key -out 
$OUT_DIR/$1.crt
cat $OUT_DIR/$1.crt $OUT_DIR/$1.key > $OUT_DIR/$1.pem
echo ""
echo "Zertifikate wurden unter '$OUT_DIR/' erstellt."
echo $OUT_DIR/$1.key
echo $OUT_DIR/$1.csr
echo $OUT_DIR/$1.crt
echo $OUT_DIR/$1.pem
echo ""

chmod 600 $OUT_DIR/*
ls -l -h --color=tty -X --group-directories-first --time-style=long-iso 
$OUT_DIR/
echo ""
rm -f $WORKING_DIR/openssl.conf


[root@buildserver:~]$ cat /buildserver/ssl-cert/openssl.conf.template
[ req ]
prompt                          = yes
default_bits                    = 1024
distinguished_name              = req_DN
string_mask                     = nombstr
[ req_DN ]
countryName                     = "1. Landeskennung  "
countryName_default             = "AT"
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = "2. Bundesland  "
stateOrProvinceName_default     = "Vienna"
localityName                    = "3. Stadt  "
localityName_default            = "Vienna"
0.organizationName              = "4. Firmenname  "
0.organizationName_default      = "the lounge interactive design gmbh"
organizationalUnitName          = "5. Abteilung  "
organizationalUnitName_default  = "Administration"
commonName                      = "6. Server-Name  "
commonName_max                  = 64
commonName_default              = "my_common_name"
emailAddress                    = "7. Mail-Adresse  "
emailAddress_max                = 40
emailAddress_default            = "hostmas...@thelounge.net"


I have heard some reports that browsers such as Chrome and MSIE balk at 
1024 bit certs and that one should use 2048. I wonder if this is now a 
good idea when generating mailserver certs as well? Try to be more 
future proof? Or am I confused and thinking 512 and 1024? Either way, 
this is a good decision to think about so your users won't have to grab 
a new cert if you need to change it. The uninformed can get spooked by 
these things. I personally believe signed certs for mailservers should 
be free.


--
John Hinton
877-777-1407 ext 502
http://www.ew3d.com
Comprehensive Online Solutions























					Reply via email to