Generating self signed SSL certificates

August 14, 2010 | Categories: Linux, Technical | Tags: certificate, certificates, linux, script, self signed No Comments ↓

Creating a self signed certificate is relatively easy. Once the certificate of authority has been established, generating certificates off of it is rather straight forward. However, the commands can get lost over time since one is not generating certificates every day. To simplify matters, a quick script handles all of the necessary steps to generate the certificate.

#!/bin/sh
#
#  MakePEM                                              Author: Rich West
#                                                       Rich.West@wesmo.com
#
# A simple script to generate a self signed certificate that does not require
# a passphrase in order to use it.
################################################################################

##
# Make sure we are started as we should be.
##
if [ "X"$1 == "X" ] || [ "X"$2 == "X" ] || [ "X"$3 == "X" ]; then
        echo "Usage: $0 <serial number> <days> <certificate_file.pem>"
        echo
        exit;
fi

##
# Set our defaults
##
ssldir=/usr/bin
conf=/etc/ssl/openssl.cnf
certs_dir=/etc/ssl/certs
serial=$1
days=$2
cert=$3

##
# Generate the certificate.
##
$ssldir/openssl req -new -x509 -days $days -config $conf \
-out $certs_dir/$cert -keyout $certs_dir/$cert \
-set_serial $serial
##
# Sign the certificate
##
$ssldir/openssl gendh >> $certs_dir/$cert

##
# We need randomness
##
$ssldir/openssl gendh -rand \
`test -c /dev/urandom && echo /dev/urandom` 1024 >> $certs_dir/$cert

##
# For sanity sake, display the contents of the generated and signed certificate.
##
echo
echo "Your new certificate is as follows:"
$ssldir/openssl x509 -subject -dates -fingerprint -noout \
-in $certs_dir/$cert

##
# Make it only readable by the owner.
##
chmod 600 $certs_dir/$cert

Renew Self-Signed SSL Certificate on Linux

August 14, 2010 | Categories: Linux, Technical | Tags: certificate, certificates, linux, renew, self signed, ssl No Comments ↓

If you are receiving a similar email to the one below, it can be a bit misleading if you are using self-signed certificates. The warning below really only applies to purchased certificates, not ones that have been home grown.

If you are using self signed certificates, there is no option to renew it. You just can’t (you’re the certificate authority anyhow), so you must generate a completely new certificate.

################# SSL Certificate Warning ################

  Certificate for hostname 'your.host.name', in file:
     /etc/ssl/certs/https_www.pem

  The certificate needs to be renewed; this can be done
  using the 'genkey' program.

  Browsers will not be able to correctly connect to this
  web site using SSL until the certificate is renewed.

 ##########################################################
                                  Generated by certwatch(1)

Windows 7 and Squid via NTLM authentication via Samba

July 16, 2010 | Categories: Linux, Technical, Windows | Tags: authentication, ntml, proxy, proxy server, samba, squid, wpad, wpad.dat 1 Comment ↓

Getting Windows 7 to talk to a squid proxy server which uses ntml authentication via samba can be a little tricky.

Control Panel -> System and Security ->Â Administrative ToolsÂ -> Local Security Policy -> Local Policy -> Security Options

Find “Network security: LAN Manager authentication levelÂ ” and set it to: Send LM & NTLM responses
Find “Minimum session security for NTLM SSP” and set it to: Disable Require 128-bit encryption