Home Esplora Aiuto
Accedi
fr33domlover
/
Rel4tion-Wiki
mirror da git://seek-together.space/wiki.git
Segui 1
Vota 0
Forka 0
File Problemi 0 Wiki
Albero (Tree): 8b3b2bbab2
Rami (Branch) Tag
Rel4tion-Wiki
/
maint
/
admin
/
ca
/
tinyca
/
Exporting_the_Files.mdwn

Exporting_the_Files.mdwn 2.9 KB
Cronologia Originale

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960 
  1. In order to use the certificate to authenticate a web service, it needs to be
    2. 

  2. exported from TinyCA and copied to a location where your server can find it. To
    3. 

  3. be more precise, the files we'll export are:
    4. 

  4. 

  5. - __CA certificate__: This file can (and should) be made public safely. Clients
    6. 

  6.   will need to have it installed in order for their software to trust the
    7. 

  7.   certificates signed by your CA.
    8. 

  8. - __Revocation list__: This file should be made available at the address you
    9. 

  9.   specified while configuring the CA. It will allow you later to revoke
    10. 

  10.   signatures, e.g. if a certificate was misused.
    11. 

  11. - __Server certificate__: This file can be safely made public, but you don't
    12. 

  12.   need to send it to clients. It is one of the files you'll need to make
    13. 

  13.   available to the servers you run, in order for them to work with SSL.
    14. 

  14. - __Server key__: This file __IS PRIVATE__. Protect it with proper permissions!
    15. 

  15.   Make it read-only, and preferrably owned by root. Some servers (such as
    16. 

  16.   lighttpd) access it while being root, so `chmod 400` and `chown root:root` is
    17. 

  17.   the best thing to do, when possible. It depends on the implementation of each
    18. 

  18.   server. The server key needs to be available to the server together with the
    19. 

  19.   server certificate.
    20. 

  20. 

  21. Another commonly used file is the __CA chain file__, but it is only required
    22. 

  22. when you use sub-CAs. Since in our setup there aren't any, and the root CA signs
    23. 

  23. the server certificates directly, no chain file is needed.
    24. 

  24. 

  25. Let's export the CA certificate. In the main window of TinyCA, click the "Export
    26. 

  26. CA Certificate" toolbar button, which is the second from the right (or left, if
    27. 

  27. you use an RTL locale). Choose a location to export to. Example:
    28. 

  28. 

  29. [[!img 6-export-ca-cert.png class="center"]]
    30. 

  30. 

  31. In order to export the revocation list, click the right most button (or left
    32. 

  32. most, if you use an RTL locale) on the toolbar. Choose a location, enter the CA
    33. 

  33. password and validity time. You can probably use the default for now, but I'm
    34. 

  34. not an expert. If you need advice on expiration times, I hope other resources
    35. 

  35. can help. If you do know, please share it here if you can, to make this guide
    36. 

  36. more complete.
    37. 

  37. 

  38. [[!img 7-export-crl.png class="center"]]
    39. 

  39. 

  40. In order to export the server certificate, go to the Certificates tab and
    41. 

  41. right-click on the certificate line. Choose "Export Certificate" from the popup
    42. 

  42. menu.
    43. 

  43. 

  44. [[!img 8.1-export-cert-menu.png class="center"]]
    45. 

  45. 

  46. Choose a storage location and click "Save".
    47. 

  47. 

  48. [[!img 8.2-export-cert-filled-nokey.png class="center"]]
    49. 

  49. 

  50. Finally, in order to export the server key, go to the Keys tab. Right-click on
    51. 

  51. the key line and select "Export Key".
    52. 

  52. 

  53. [[!img 9.1-export-key-menu.png class="center"]]
    54. 

  54. 

  55. Choose a storage location. Set "Without Passphrase" to yes, otherwise you'll
    56. 

  56. need to supply the key passphrase every time you start the web server. Click
    57. 

  57. "Save". You will be asked for the certificate passphrase.
    58. 

  58. 

  59. [[!img 9.2-export-key-filled-nocert.png class="center"]]
    60. 

  60.