Here are example commands for generating your own Certificate Authority, and signing your own keys to distribute to end users.
openssl req -newkey rsa:512 -nodes -out ca.csr -keyout ca.keyFill in the questions. Use relevant data, but this information is only for you.
Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Texas Locality Name (eg, city) []:Dallas Organization Name (eg, company) [Internet Widgits Pty Ltd]:CrushFTP Organizational Unit Name (eg, section) []:Development Common Name (eg, YOUR name) []:www.domain.com Email Address []:ben@crushftp.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:Now we get our private key for signing.
openssl x509 -req -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem echo "02" > ca.srlAnd finally, we import the public key for our signing into our trust store so we can validate all signed keys user's submit. This files name "crush.keystore_trust" is specific. It must be in the same folder as the real keystore file for the server port, and must have the exact same name and password, except its name ends with "_trust". So in this case we expect to have a keystore named "crush.keystore".
keytool -import -alias crushftp_ca -keystore crush.keystore_trust -trustcacerts -file ca.pem -storepass password
Now from here on, we just generate new signed certs for your clients. The key part is to set their username to be "NOLOGIN_myuser" if you want to force them to still enter a user/pass. Otherwise if you set their common name to a valid username, they will be able to login without a user/pass.
openssl req -newkey rsa:512 -nodes -out myuser.req -keyout myuser.key openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in myuser.req -out myuser.pem -days 365 openssl pkcs12 -export -clcerts -in myuser.pem -inkey myuser.key -out myuser.p12 -name "myuser_certificate"
Add new attachment
Only authorized users are allowed to upload new attachments.
«
This particular version was published on 09-Oct-2016 18:14 by Ben Spink.
G’day (anonymous guest)
Log in
JSPWiki