The SSL protocol requires the use of X.509 certificates in the protocol handshake to ensure that either one or both parties involved in the communication are indeed who they say they are. Certificates in real life, such as those use for SSL connections on public web sites, can cost in the arena of $300 a year. This is because the certificate must have a digital signature placed on it by a
certificate authority. A certificate authority is an entity that vouches for the authenticity of a digital certificate by signing it with its own private key. This way, anyone who wishes to check the authenticity of the certificate can simply use the certificate authority's public key to check the signature.
You are allowed to use a public certificate authority with SSLeay. However, you don't have to. Instead, SSLeay will allow you to declare yourself a trusted certificate authority - specifying which clients you choose to trust and which clients you do not. In order to do this, you will need to perform several tasks with the SSLeay distribution.
The first thing you need to do is specify a secure location where the certificates of the clients and potentially the server will be stored. We have chosen
/etc/certificates as our default. Execute the following commands as
root:
#
cd /etc
#
mkdir certificates
#
chmod 700 certificates
Note that we shut out all access to users other than
root for this directory. This is very important.
Next, you need to set up the SSLeay scripts and configuration files to use the certificates stored in this directory. In order to do this, first modify the
CA.sh script located at
/usr/local/ssl/bin/CA.sh to specify the location of the directory you just created. Find the line that contains the following entry:
CATOP=./demoCA
Then change it to:
CATOP=/etc/certificates
Next, you need to modify the
/usr/local/ssl/lib/ssleay.cnf file to specify the same directory. Find the entry:
[ CA_default ]
dir = ./demoCA # Where everything is kept
Then change it to:
[ CA_default ]
dir = /etc/certificates # Where everything is kept
Next, run the certificate authority setup script,
CA.sh, in order to create the certificates. Be sure to do this as the same user that you used to prime the random number generator above:
/usr/local/ssl/bin/CA.sh -newca
mkdir: cannot make directory '/etc/certificates': File exists
CA certificate filename (or enter to create)
Press the Enter key to create a certificate for the CA. You should then see:
Making CA certificate ...
Using configuration from /usr/local/ssl/lib/ssleay.cnf
Generating a 1024 bit RSA private key
.............................+++++
.....................+++++
writing new private key to /etc/certificates/private/cakey.pem
Enter PEM pass phrase:
Enter a new pass phrase for your certificate. You will need to enter it twice correctly before SSLeay will accept it:
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
Be sure to remember this pass phrase. You will need it to sign the client certificates in the future. Once SSLeay has accepted the pass phrase, it will continue on with a series of questions for each of the fields in the X509 certificate:
You are about to be asked to enter information that will be
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished
Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Fill out the remainder of the fields with information about your organization. For example, our certificate looks like this:
Country Name (2 letter code) [AU]:
US
State or Province Name (full name) [Some-State]:
California
Locality Name (eg, city) []:
Sebastopol
Organization Name (eg, company) []:
O'Reilly
Organizational Unit Name (eg, section) []:
Books
Common Name (eg, YOUR name) []:
John Doe
Email Address []:
[email protected]
After that, SSLeay will be configured as a certificate authority and can be used to sign certificates for client machines that will be connecting to the Samba server.
