Certificate Authority

Latest revision as of 22:27, 23 May 2009

We run our own certificate authority for all sorts of reasons. The CA certificate is available at http://ca.ugcs.caltech.edu

To generate a certificate, you need to do the following steps:

1. Make a certificate request
2. Get it signed

Requesting a certificate

To request a certificate, you can use the "request" script, found in /afs/.ugcs/public/ca/bin. This script takes as arguments:

request filename commonName emailAddress [alt_name ...]

where

• filename is the name of the file to save the request to. It should be a simple filename, not a whole path (a copy will be saved in ca/reqs)
• commonName should be the fully-qualified DNS name of the machine
• emailAddress is probably going to be sysadmins@ugcs
• alt_name is a list of other names that the certificate should be trusted for. For example, poseidon.ugcs.caltech.edu (our webserver) would have poseidon.ugcs.caltech.edu as its commonName, and www.ugcs.caltech.edu, www.ugcs, www, poseidon, poseidon.ugcs, etc as alt names

You can also set the following environment variables:

• KEYDIR is the directory where the key should be placed. Otherwise it will go in /root/req-keys
• KEYFILE is the full path to an existing key

Signing the key

You can only sign the key on a machine that has the CA private key available. Currently, this is zeus. To do so, run (as root) "sign"

sign filename

where filename is the same filename you gave above.

The ca key lives in root/ca-key of the machine where the key is. It is symlinked to in /afs/.ugcs/public/ca/private. Since the key is only readable by root, you have to run sign as root (or with sudo). The password to the ca key is in /root/ca-key/

After this script is run, the signed certificate will be in ca/certs