Header pic

EASYCERT - Easy certifying with openssl (Linux)

https://static.giga.de/wp-content/uploads/2016/03/shutterstock_50741503-rcm1024x512u.jpg

EASYCERT ist eine einfache Möglichkeit openssl zu managen, welches auf den gängigen Linux-Systemen für die Zertifizierung von Apache zum Einsatz kommt. Es ist eine von mir erstellte Sofware, die ein Arbeiten mit openssl angenehmer gestaltet. Dieses Tutorial erklärt euch, wie ihr EASYCERT verwenden könnt. Die Zertifikate lassen sich für alle gängigen Systeme verwenden

Um effektiv mit EASYCERT zu arbeiten, ist die Verwendung der Shell als root (kein anderer sollte auch Zertifikate bearbeiten dürfen) sinnvoller als alles über die GUI einzurichten.

Dies ist die Hilfe zu EASYCERT

EAYSCERT - Easy certification of apache
=========================

easycert_setup arguments are
-i | -I | --install
-u | -U | --uninstall
-a | -A | --add
-h | -H | --help

Help
====

Because of the symbolic links you have the possibility to execute all files from everywhere. The files are:
- crthelp
- ocaconvert
- ocalink
- Name-convert
- Name-create
- Name-link
- Name-p12convert
They are stored in /opt/easycert/. The sym links are stored in /usr/local/bin/.

crthelp:
shows the help page to give you support

ocaconvert:
ocaconvert converts the Root CA cer file into a webserver readable pem format

ocalink:
ocalink links the ca (Root CA) into /etc/ssl/certs to make it usable for apache.

Name-convert:
Name-convert converts the cer file into a webserver readable pem format.

Name-create:
Name-create creates the certificate signing request (csr) and the private key (key). One special part is that there are DNS aliases in this file you maybe need to change, delete or add. So check this file using "cat /opt/easycert/name/openssl_create".

Name-link:
Name-link links the (into pem format) converted certificate into /etc/ssl/certs/ and the private key into /etc/ssl/private/ to make it usable for apache. Never lose the private key!

Name-p12convert:
Name-p12convert converts the converted pem file and the private key to a pfx file. For this file you have to set a password. Never lose the password!

HowTo - step by step:

0) Get Root CA:
Visit fex. https://cert-srv.example.local/certsrv and authenticate as domain admin (administrator@example.local). Use "Download a CA certificate, certificate chain, or CRL" and then "Download CA certificate" to get the Root CA cer file. Copy the content int the setup or into a new cer file called ca.example.local.cer.

1) CA Link:
Use openssl_calink to link the Root CA (very easy)

2) CSR Creation:
Check openssl_create because of DNS aliases when you need more than the default name. Use openssl_create to create csr and private key.

3) Certification:
Copy the content of the csr file. Visit https://cert-srv.example.local/certsrv and authenticate as domain admin (administrator@example.local). Use "Request a certificate" and submit an "advanced certificate request". Paste the csr content into the request field, use the "Web Server" template and submit. "Download certificate" and try to get it onto the webserver (via ftp or scp). When you have PuTTY then you maybe have pscp.exe. So use the following command:
pscp.exe C:\path to\newcert.cer root@IP-Adresse des Servers:/opt/easycert//.cer

4) Converting:
Use openssl_convert or openssl_p12convert to convert the cer file you transferred before into the pem format and the pem and key into pfx format.

5) Link:
Use openssl_link to link the pem file into /etc/ssl/certs/ and the key file into /etc/ssl/private/.

6) Apache:
Prepare the apache to use ssl and write the certificates into the default-ssl.conf

Links und Quellen

Sollten Sie Fragen, Anregungen oder Verbesserungsvorschläge haben (jeder kann sich ja täuschen), dann senden Sie mir bitte via Kontakt eine Nachricht zu. Vielen Dank!

EASYCERT zum Download:
download

20.08.2019 - 15:17 Uhr - Oliver Stech