########################################################################### # Generating SSL Certificate and KEY # # by # # The Honeynet Project and the Research Alliance # ########################################################################### Last Modified: 18 April, 2005 PURPOSE ======= During the installation process, the Honeywall CDROM Roo auto-generates and installs a new SSL Certificate for the webserver. This should be enough to give you secured communications with the Walleye webserver. However, individuals or organizations may want to generate their own key again. The purpose of this document is to demonstrate how to generate your own certificate and server key. Keep in mind, a self-signed cert is not part of any certificate authority (CA) chain, and thus browsers don't have any way of verifying them. Users have to either load the cert into the browswer in advance (somewhat complicated, or at best a hassle, for most users), or users have to verify the fingerprints when the browser doesn't recognize the cert. You may want to consider purchasing a cert from a commercial CA, using your organizations CA if it has one, or http:/www.cacert.org. For more information on self-signed certificate, refer to http://sial.org/howto/openssl/self-signed/ SETUP ===== Below are the commands to generate and install your own host key (server.key) and certificate (server.crt). /usr/bin/openssl genrsa 1024 > /etc/walleye/server.key /usr/bin/chmod go-rwx /etc/walleye/server.key /usr/bin/openssl req -new -key /etc/walleye/server.key -x509 -days 365 -out /etc/walleye/server.crt -set_serial `date +%s` To confirm the fingerprint of the certificate, do the following. /usr/bin/openssl x509 -noout -fingerprint -text < /etc/walleye/server.crt Once you have generated your keys and confirmed the fingerprint, you will then need to restart the webserver. This is doen as follows. /etc/init.d/walleye-httpd restart If the key and/or cert don't match up, the restart will fail. Otherwise it should succeed.