### NOTE: This only needs to be done once (well once a year  ###
###       if you only make your CA good for 365 days)        ###
### You should skip to the readme for part 2 if all you need ###
### is to generate a cert for a site.                        ###
###                                                          ###
### If you want to regenerate the CA, then you will need to  ###
### backup your current cert subfolder.                      ###
###   cd /etc/httpd/conf/ca                                  ###
###   mv anncons bak.anncons                                 ###
###                                                          ###
### In this example our working directory for creating certs ###
### is:                                                      ###
###    /etc/httpd/conf/ca                                    ###
### We store the cert for Anncons.net in the subfolder:      ###
###    /etc/httpd/conf/ca/anncons                            ###
###

###### 
#Create a directory for generating and managing your Certs

# Check on OpenSSL
which openssl
  /usr/bin/openssl
 
# Create a secure directory to hold our CA information
mkdir /etc/httpd/conf/ca
chmod o-rx /etc/httpd/conf/ca
cd /etc/httpd/conf/ca
 
# Find and copy the the shell script that is include
# with OpenSSL into our secure directory.
# We'll also need openssl libraries (openssl.cnf)
locate CA.sh
  /usr/lib/ssl/misc/CA.sh
cp -a /usr/lib/ssl/misc/CA.sh ./
#
locate openssl.cnf
  /usr/lib/ssl/openssl.cnf
cp -a /usr/lib/ssl/openssl.cnf ./

# Edit ./openssl.cnf and add your appropriate defaults.
# At the very least you should change the "dir" under
# the [ CA_default ] section:
#   dir    = ./anncons     # Where everything is kept

# Now all generated Certs and Cert files will be stored
# in a local subdirectory called "./anncons"


######
#Create a new CA

To create a new CA, type the following command (as root):
  ./CA.sh -newca

====== You should see the following output ======
 CA certificate filename (or enter to create)
 
 Making CA certificate ...
 Generating a 1024 bit RSA private key
 ...++++++
 ...............++++++
 writing new private key to './anncons/private/./cakey.pem'
 Enter PEM pass phrase: april showers bring may flowers
 Verifying - Enter PEM pass phrase: april showers bring may flowers
 -----
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [US]:
 State or Province Name (full name) [North Carolina]:
 Locality Name (eg, city) [Raleigh]:
 Organization Name (eg, company) [Anncons Consulting]:
 Organizational Unit Name (eg, section) [HQ]:
 Common Name (eg, YOUR name) [anncons]:
 Email Address []:admin@anncons.net

======
The Certificate of Authority is now generated and ready for use.

You will find the files for the CA in ./anncons
Please copy the file ./anncons/cacert.pem into the
directory /var/www/cert
  cd anncons
  cp cacert.pem /var/www/cert/
  chmod 444 /var/www/cert/cacert.pem

Make sure that it is readable by apache, but not writable by anyone!

======
Place the following script in /var/www/cgi-bin/export_cert.cgi
  #!/bin/sh
   
  echo "Content-Type: application/x-x509-ca-cert"
  echo
  cat /var/www/cert/cacert.pem
 
Once this is done, users can download and install the CA by going to:
  http://anncons.net/cgi-bin/export_cert.cgi

Once a user imports your CA and accepts it as an Authority, they can
use any service of yours that is signed by that CA.

Folks visting a website that has been signed by your CA will accept that
site's certificate without issuing any warnings. Likewise, email that is 
encrypted using SSL and a certificate that you have signed will be 
downloaded with no warnings. 

====== Added for compability with older browsers ======
                                                                                
Older browsers don't understand the "pem" format, but are hard coded
to use the "der" format.
                                                                                
To create a "der" format CA from the "pem" certificate:
  openssl x509 -in cacert.pem -outform DER -out cacert.der
                                                                                
Next we add/modify the following line to the conf/mime.types file in
for the Apache installation:
  application/x-x509-ca-cert      der pem crt
                                                                                
Now restart Apache for the change to take effect.
We should now be able to place both the cacert.der and cacert.pem
files anywhere on the web server, and have clients install the new
cert by simply clicking on either link.
                                                                                
Early versions of Netscape expected pem format, but recent versions
will accept either. Internet Explorer is just the opposite (early
IE would accept only der format, but recent versions will take both).
Other browsers will generally accept either format.

======
Your CA is in place and you are now ready to sign some self generated 
web or email certificates for use with SSL communications 
(See the next README).

Jon Carnes Oct 7, 2003