sysadmin/MakingSelfSignedSSLCerts written at 23:09:56; Add Comment
Making self-signed SSL certificates with OpenSSL
So that I don't have to try to remember it or look it up next time around, here is how to generate a real self-signed SSL certificate with OpenSSL. The basic but incomplete incantation is:
If you want a merged PEM certificate, just make the
To the basic incantation you must add one of two sets of arguments:
(On some systems you can also use '
A configuration file looks like this:
RANDFILE = $ENV::HOME/.rnd
[ req ] default_bits = 1024 default_keyfile = privkey.epm distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] countryName = CA stateOrProvinceName = Ontario localityName = Toronto organizationName = University of Toronto organizationalUnitName = CNS commonName = utcc.utoronto.ca emailAddress = email@example.com
Naturally I don't recommend that you copy this example literally, unless you really want to generate a self-signed key for our server.
Having created a PEM file (or just having one lying around), you can
examine it with '
Sidebar: Other references
Here is a discussion about a potential problem with self-signed certificates if you have to renew them. Locally we deal with this problem by generating self-signed certificates with very long expiry times; my current choice is 9999 days.
A good Google search for this seems to be [openssl self-signed certificate]. If you throw in 'making', the top results turn into being mostly about how to make your own Certificate Authority cert and then sign things with that. This is somewhat different from a self-signed certificate, plus is more work.
sysadmin/ASysadminTwitch written at 01:43:53; Add Comment
A little sysadmin twitch
Every system administrator has little twitches, behaviors that strike outside observers as somewhere between odd and superstitious. Sometimes these are just habits, but sometimes they have interesting stories behind them.
One of my twitches is that when I use
This habit originated in a bit of security advice. The story goes that
if you didn't use absolute paths, an intruder who compromised your
account could alter your
In my current environment this is mostly superstition, because most of
the time I get root access by starting a 'root xterm' (more or less
Still, it's my little twitch. Life wouldn't be quite the same without it.
* * *
Atom feeds are available; see the bottom of most pages.