Versions Compared

Old Version 22

changes.mady.by.user David Walend

Saved on

compared with

New Version 23

changes.mady.by.user David Walend

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

We highly recommended that SHRINE networks going forward adopt this approach whenever possible, especially for networks larger than 4 nodes. When using a CA in a hub-based topology, a node only needs to create firewall exceptions for one other host (the hub) and only needs to perform one certificate exchange, solving the N^2 problem that has traditionally afflicted larger SHRINE networks.

...

Table of Contents
outlinetrue
stylenone
printablefalse

 

For Hub Administrators

The server that will function as the Certificate Authority will require a distribution of OpenSSL with the CA.sh/CA.pl/CA helper script. While it is possible to operate as a CA without the helper script, it is strongly recommended to use the helper script, as it makes life much easier. The exact location of this helper script varies from distribution to distribution, but three places to start are /usr/local/ssl/misc, /etc/pki/tls/misc, and /System/Library/OpenSSL/misc. The latter of these two is what CentOS uses, and the rest of the guide will be written assuming a CentOS environment.

Establish a Certificate Authority

Run the following command as root:

...

Be sure openssl is available on the machine that you use to create the CA cert. 

> which openssl

/usr/bin/openssl


Establish a Certificate Authority for Signing Queries

Create a file with these contents:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]


[ v3_req ]
basicConstraints = CA:FALSE

 

Run the following commands:

> export SHRINE_HUB="aGoodNameForYourHub"

> mkdir $SHRINE_HUB

Generate the hub CA

> openssl req -x509 -new -newkey rsa:2048 -keyout $SHRINE_HUB/$SHRINE_HUB.key -sha256 -nodes -days 1024 -out $SHRINE_HUB/$SHRINE_HUB.crt -subj "/C=US/ST=Massachusetts/L=Boston/O=Harvard Medical School/OU=Catalyst SHRINE QA Network/CN=$SHRINE_HUB"

 

The script will ask for a password, which you will be prompted for every time you wish to sign a certificate. Keep this password safe, and make sure it is different from any other password used for keystores and certificates! The script will also ask for the standard certificate information. When prompted for a challenge password and optional company name, leave these blank. Sample output from the script is provided below:

...