A make file for managing the ssl keys of a server
root
Server (make-ssl)
This directory contains a Makefile
and a ssl.conf
file to help you create private keys and certificate requests for server keys. Although this has been created to complement the MAKE-SSL/server-ca
package, it can be used independently.
Configuring.
The configuration is done by editing the files Makefile.configure and ssl.conf. What each variables does and possible settings are described in the comments of these file itself. Here is what you will find in each of these files.
Makefile.configure: The main this that you configure here are commands to restart the server and any pre key generation step. You can also configure various parameters of the key, like number of bits, key type etc but the default parameters should be good enough. See the file itself for more details.
ssl.conf: Primarily the subject name and hostnames.
Creating keys and request.
Create the private key and certificate request using the command
$ make key
Get the request.pem certified.
Configure the server to use the private key and certificates.
Standard targets
$ make key # to generate key and request
$ make expire # to expire old keys
$ make obliterate # Cleans up stuff (used only while testing).
$ make help # short help on help
$ make help target=TARGET # A small help on the target TARGET
$ make show info=request # Shows the details of the request
$ make show info=certificate # Shows the details of the certificate
$ make show info=fingerprint # Shows the finger print of the certificates
The above steps will usually suffice, however, if you want to do something fancier, read on.
A brief description of the generated files
- private.pem : The private key.
- request.pem : The certificate request for the key in private.key.
- dsa.param : The DSA parameters for the key in private.key (Generate only for DSA keys).
- dh.param : DH-parameter file for forward security in servers.
Keys for multiple hostnames.
Sometimes a single key is used for many server, for example smtp and smtprelay might be the same server. In this case one needs the key to have multiple hostnames. Edit the [ host_names ]
section of the file ssl.conf
(relevant documentation is available there).
Generating keys with passphrase
Typically server keys are not encrypted. This is not such a bad idea provided the server private keys are unreadable to normal users. If you are paranoid, which you should be, it is good to keep the server keys encrypted. However this means that whenever the server has to be restarted the passphrase has to be provided. Set the variable KEY_ENCRYPT
to appropriate value in Makefile.configure for this (See also the section on configuring).
Cleanup (Warning use only while testing)
$ make obliterate
This gets rid of all keys, certificate request and self signed certificates. If you obliterate your already certified key you will have to generate a new key and get it certified.