1
edit
Changes
→Links
Together, these certs allow the builders to communicate with the koji hub and visa versa. After researching and a bit of tweaking, I managed to utilize a concept from Fedora Projects website (http://fedoraproject.org/wiki/Koji/ServerHowTo) and created a script which would make minimal effort for anyone making multiple certs, or for anyone who would rather quickly make a cert than learn the process.
In our scenario, we used SSL to perform our configuration, however, Kerboros has another means of accomplishing the same thing without requiring authentication. This path however is only a 'quick-fix' because eventually SSL will have to be used.
= Koji Cert Process=
# A certificate authority must be created.
# The certificate authority must have a private key and public key created
# A certificate must be created for the server using the configuration and signature of the ca
# Other clients can then be created such as the kojihub, kojiweb etc
= How to use the script=
''for user in arm{1..25}
''>do
''>./certscript $user
''>done
''
OME = .
RANDFILE = .rand
[ca]
default_ca = ca_default
[ca_default]
dir = .
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/%s_ca_cert.pem
private_key = $dir/private/%s_ca_key.pem
serial = $dir/serial
crl = $dir/crl.pem
x509_extensions = usr_cert
name_opt = ca_default
cert_opt = ca_default
default_days = 3650
default_crl_days = 30
default_md = md5
preserve = no
policy = policy_match
[policy_match]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[req]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = MASK:0x2002
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = CA
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Ontario
localityName = Locality Name (eg, city)
localityName_default = Toronto
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Seneca CDOT
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_default = hongkong
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[req_attributes]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[usr_cert]
basicConstraints = CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
[v3_ca]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true''
= Problems Encountered=
Because the koji certificate is one of the first things that have to be established before anything else will work (the other being the database), it is typically the first one to get picked on when something isnt working. One problem during this process was the creation of kojihub, and kojiweb. These 2 certs are have a small stipulation that states that their 'commonName' should be the same. Unknown to me at the time, a prerequisite of this requires that the OU (Organizational Unit) should be different or else the cert will complain during creation that another cert with identical settings has been created. After some more research on the Fedora Project website, I found the necessary steps to rectify the issue and move on.
Another issue I came across was the fact that different sources provided different "requirements". For example, some sources stated that when creating the kojihub and kojiweb certs that the "Common Name" value is required to be a FQDN (Fully Qualified Domain Name) while others said it didnt. This made troubleshooting the kojihub process rather strenuous.
= Acknowledgements=
[[User:Paul.W]]
[[User:Chris_Tyler]]
= Logos =
* Fedora
* Seneca
* Apache
* OpenSSL
= Links=
My Blog: http://sidsbr.blogspot.com/
Fedora Projects Koji Setup Document: http://fedoraproject.org/wiki/Koji/ServerHowTo
= Sources=
http://fedoraproject.org/wiki/Koji/ServerHowTo
