Eksempel for bruker trondham. Brukernavnet i Koji skal samsvare med brukernavnet på UiO.
1 Legge til i Koji
Legg til brukeren i Koji. Gjøres på koji.uio.no:
[root@koji ~]# sudo -u kojiadmin koji add-user trondham Added user trondham (4)
2 Generere SSL-sertifikater
Dette gjøres som root på koji.uio.no. Først cd til riktig katalog og sett noen variable:
[root@koji ~]# cd /etc/pki/koji [root@koji koji]# user=trondham [root@koji koji]# caname=koji
Lag en 2048-bits privat nøkkel:
[root@koji koji]# openssl genrsa -out certs/${user}.key 2048
Generating RSA private key, 2048 bit long modulus
........................+++
..........................+++
e is 65537 (0x10001)
Lag sertifikat. Her skal "Common Name" være brukernavnet, og "Email Address" skal være <brukernavn>@ulrik.uio.no. For alle andre verdier skal man velge default (dvs. trykke ENTER):
[root@koji koji]# openssl req -config ssl.cnf -new -nodes -out certs/${user}.csr -key certs/${user}.key
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [NO]:
State or Province Name (full name) [Oslo]:
Locality Name (eg, city) [Blindern]:
Organization Name (eg, company) [University of Oslo]:
Organizational Unit Name (eg, section) [USIT]:
Common Name (eg, your name or your server's hostname) [koji.uio.no]: trondham
Email Address [unix-drift@usit.uio.no]: trondham@ulrik.uio.no
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Enda mer sertifikater (FIXME). Her skal man svare y på signering, og y på commit:
[root@koji koji]# openssl ca -config ssl.cnf -keyfile private/${caname}_ca_cert.key -cert ${caname}_ca_cert.crt -out certs/${user}.crt -outdir certs -infiles certs/${user}.csr
Using configuration from ssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 6 (0x6)
Validity
Not Before: Aug 26 13:24:06 2011 GMT
Not After : Aug 23 13:24:06 2021 GMT
Subject:
countryName = NO
stateOrProvinceName = Oslo
organizationName = University of Oslo
organizationalUnitName = USIT
commonName = trondham
emailAddress = trondham@ulrik.uio.no
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C0:91:EA:7D:88:5B:29:0D:13:4C:DE:F2:74:30:C6:10:DF:EC:31:1F
X509v3 Authority Key Identifier:
keyid:CD:F7:17:95:46:F1:A7:D2:CE:BB:59:9D:21:E9:6E:B4:03:F9:70:C4
DirName:/C=NO/ST=Oslo/L=Blindern/O=University of Oslo/OU=USIT/CN=koji.uio.no/emailAddress=unix-drift@usit.uio.no
serial:CC:C9:6F:41:6E:53:2A:0E
Certificate is to be certified until Aug 23 13:24:06 2021 GMT (3650 days)
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n] y
Write out database with 1 new entries
Data Base Updated
Lag så et felles sertifikat for brukeren (FIXME):
[root@koji koji]# cat certs/${user}.crt certs/${user}.key > ${user}.pem
Lag PKCS12 user certificate (for web browser). Velg et passende passord, ikke for enkelt og ikke for vanskelig. Noter passordet, dette skal sendes brukeren sammen med sertifikatet:
[root@koji koji]# openssl pkcs12 -export -inkey certs/${user}.key -in certs/${user}.crt -CAfile ${caname}_ca_cert.crt -out certs/${user}_browser_cert.p12
Enter Export Password:
Verifying - Enter Export Password:
3 Pakk filene sammen
Dette er en klipp og lim-oppskrift som forutsetter at variabelen "user" er satt som over:
cd /root/koji-user-certs
mkdir koji-${user}
cp /etc/pki/koji/${user}.pem koji-${user}/client.crt
cp /etc/pki/koji/koji_ca_cert.crt koji-${user}/clientca.crt
cp /etc/pki/koji/koji_ca_cert.crt koji-${user}/serverca.crt
cp /etc/pki/koji/certs/${user}_browser_cert.p12 koji-${user}/
tar cvfz koji-${user}.tar.gz koji-${user}
rm -rf koji-${user}
Dette resulterer i en fil koji-brukernavn.tar.gz. Denne sendes som vedlegg til brukeren.