Changes

Jump to: navigation, search

Sigul Signing Server Setup

22 bytes added, 14:25, 14 May 2015
no edit summary
1) Create an NSS database on the bridge, to hold the certificate information *AS user '''sigul''' issue the following
* login Login as sigul:
su -s /bin/bash sigul
* generate Generate a new NSS database for the bridge at the location of the bridge_dir variable
bridge_dir=/var/lib/sigul
certutil -d $bridge_dir -N
2) Now generate the CA (Certificate Authority) certificate, to be used accross all sigul components
* be Be sure to replace '''my-ca''' with whatever your desire your CA to be named, such as '''sigul-ca''' for example:
certutil -d $bridge_dir -S -n my-ca -s 'CN=My CA' -t CT,, -x -v 120
3) Create a certificate for the bridge
* be Be sure to replace BRIDGE_HOSTNAME with the hostname of the machine it resides on:
certutil -d $bridge_dir -S -n sigul-bridge-cert -s 'CN=BRIDGE_HOSTNAME' -c my-ca -t u,, -v 120
4) Now it is time to configure the bridge, edit the config at ''/etc/sigul/bridge.conf'' * AS '''ROOT'''
* login Login as ROOT * edit Edit ''/etc/sigul/bridge.conf'':
#/etc/sigul/bridge.conf
5) After editing the config and setting up the certs, it is time for a test drive issue the following * AS '''ROOT''':
* start Start the bridge in DEBUG mode, and all information will be logged in ''/var/log/sigul_bridge.log'':
sigul_bridge -v -v
 * check Check the log file after starting sigul, if there are no errors you are good to go.** you You should see the first log message in ''/var/log/sigul_bridge.log'':
2011-11-24 16:41:42,214 DEBUG: Waiting for the client to connect
 * stop Stop the sigul_bridge CRTL-C and start the service:
systemctl start sigul_bridge
1) Create the NSS database on the server, to hold the certificate information *AS user '''sigul''' issue the following
* login Login as sigul:
su -s /bin/bash sigul
* generate Generate a new NSS database for the server at the location of the server_dir variable:
server_dir=/var/lib/sigul
certutil -d $server_dir -N
2) Now import the CA (Certificate Authority) certificate, generated earlier on the bridge
* issue Issue ON THE BRIDGE as user '''sigul''':
pk12util -d $bridge_dir -o myca-server.p12 -n my-ca
* copy Copy ''myca-server.p12'' over to the server and deleted from the bridge afterwards
* issue Issue ON THE SERVER as user '''sigul''':
pk12util -d $server_dir -i myca-server.p12
rm myca-server.p12
* Be sure to change '''my-ca''' to your CA name certutil -d $server_dir -M -n my-ca -t CT,, <-- be sure to change my-ca to your CA name 
* The sigul CA certs should now be imported
* be Be sure to replace SERVER_HOSTNAME with the hostname of the machine it resides on:
certutil -d $server_dir -S -n sigul-server-cert -s 'CN=SERVER_HOSTNAME' -c my-ca -t u,, -v 120
3) Now it is time to configure the server, edit the config at ''/etc/sigul/server.conf'' * AS '''ROOT'''
* login Login as ROOT* edit Edit ''/etc/sigul/server.conf''
#/etc/sigul/server.conf
6) After all is configured, it's time for a test drive * AS '''ROOT''':
* start Start the server in DEBUG mode, and all information will be logged in ''/var/log/sigul_server'':
sigul_server -v -v
* check Check the log file after starting sigul, if there are no errors you are good to go.* you You should see the first log message in /var/log/sigul_server.log:
2011-11-24 16:36:42,154 DEBUG: Waiting for a request
* stop Stop the sigul_server CRTL-C and start the service:
systemctl start sigul_server
1) Create the NSS database on the client, to hold the certificate information issue the following
* generate Generate a new NSS database for the server at the location of the client_dir variable
client_dir=~/.sigul
certutil -d $client_dir -N
2) Now import the CA (Certificate Authority) certificate, generated earlier on the bridge
* issue Issue ON THE BRIDGE as user '''sigul'''
pk12util -d $bridge_dir -o myca-client.p12 -n my-ca
* copy Copy ''myca-client.p12'' over to the client and deleted from the bridge afterwards
* issue Issue ON THE CLIENT as your own user
pk12util -d $client_dir -i myca-client.p12
rm myca.p12
* Be sure to change '''my-ca''' to your CA name certutil -d $client_dir -M -n my-ca -t CT,, <-- be sure to change my-ca to your CA name 
3) Next we have to generate the authentication certificate for the client
* be Be sure to replace YOURUSERNAME with the user you are using on the client system
* OR set 'CN=YOUR FAS NAME' if using FAS authentication
certutil -d $client_dir -S -n sigul-client-cert -s 'CN=YOURUSERNAME' -c my-ca -t u,, -v 120
4) Now it is time to configure the client, edit the config at /etc/sigul/client.conf * AS '''ROOT'''
* login Login as ROOT * edit Edit ''/etc/sigul/client.conf''
# /etc/sigul/client.conf
...
* if If you wish to avoid entering an NSS password upon issuing each command, create/edit ''~/.sigul/client.conf'' and add the following lines:
[nss]
nss-password: Your NSS PASS
6) Create an initial key once you are able to issue commands to sigul, issue the following:
sigul new-key -h
* this This will output the options that can be used with the key creation, use the ones you want, and generate the key.* please '''NOTE:''' Please note when generating the key, it requires alot a lot of Entropy on the server, so issue some commands to keep server busy and help it generate faster, usually a simple find / will generate enough for it to take about 2 minutes to generate the key.
=Sigul with koji Setup=
Retrieved from "https://wiki.cdot.senecapolytechnic.ca/wiki/Special:MobileDiff/111020"

Navigation menu