1,234
edits
Changes
→Obtaining a Certificate
== Obtaining a Certificate ==
In the real world if you wanted to obtain a certificate - the process for obtaining a certificate would looks like this:
# '''You''': Create a certificate request (often abbreviated as CSR). You don't need to do it on the server that requires the certificate. Typically this is done on a commandline with the openssl command.
# '''Clients''': When someone connects to your server using a secure mechanism, they first ask your server for a copy of your certificate (public key). Then they verify that a CA they trust signed that certificate and it's not expired. Following that they can encrypt messages they send to your server using the public key it gave them.
In our case each of you will be all three of the above: '''You''', the '''CA''', and the '''clients'''. That will allow us to do all this stuff in one lab.Follow these steps in the TinyCA application: # Acting as '''you''': generate a new certificate request in the Requests tab. The common name is particularly important, it has to match the name of the server where you'll use the certificate. You'll need to put in a password here but eventually we'll get rid of it.<br />[[File:TinyCACreateCSR.png]]# Acting as the '''CA''': sign the request.<br />[[File:TinyCASignCSR.png]]# Again acting as the '''CA''': export the certificate and key (i.e. the public key and the private key) as .pem files. The extension .pem doesn't imply what the contents are, it's just a format that is typically used to store keys. You want to export the key without a passphrase, unless you want to type in a password every time your server reboots:<br />[[File:TinyCAExportCert.png]]<br /><br />[[File:TinyCAExportKey.png]]
= Lab completion =