Translations by ZhongHan Cai
ZhongHan Cai has submitted the following strings to this translation. Contributions are visually coded: currently used translations, unreviewed suggestions, rejected suggestions.
| 1316. |
sudo touch /etc/ssl/CA/index.txt
|
|
| 2009-01-27 | ||
| 1317. |
The third file is a CA configuration file. Though not strictly necessary, it is very convenient when issuing multiple certificates. Edit <filename>/etc/ssl/openssl.cnf</filename>, and in the <emphasis>[ CA_default ]</emphasis> change:
|
|
| 2009-01-27 | ||
| 1318. |
dir = /etc/ssl/ # Where everything is kept
database = $dir/CA/index.txt # database index file.
certificate = $dir/certs/cacert.pem # The CA certificate
serial = $dir/CA/serial # The current serial number
private_key = $dir/private/cakey.pem# The private key
|
|
| 2009-01-27 | ||
| 1319. |
Next, create the self-singed root certificate:
|
|
| 2009-01-27 | ||
| 1320. |
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
|
|
| 2009-01-27 | ||
| 1321. |
You will then be asked to enter the details about the certificate.
|
|
| 2009-01-27 | ||
| 1322. |
Now install the root certificate and key:
|
|
| 2009-01-27 | ||
| 1323. |
sudo mv cakey.pem /etc/ssl/private/
|
|
| 2009-01-27 | ||
| 1324. |
sudo mv cacert.pem /etc/ssl/certs/
|
|
| 2009-01-27 | ||
| 1325. |
You are now ready to start signing certificates. The first item needed is a Certificate Signing Request (CSR), see <xref linkend="generating-a-csr"/> for details. Once you have a CSR, enter the following to generate a certificate signed by the CA:
|
|
| 2009-01-27 | ||
| 1326. |
sudo openssl ca -in server.csr -config /etc/ssl/openssl.cnf
|
|
| 2009-01-27 | ||
| 1327. |
After entering the password for the CA key, you will be prompted to sign the certificate, and again to commit the new certificate. You should then see a somewhat large amount of output related to the certificate creation.
|
|
| 2009-01-27 | ||
| 1328. |
There should now be a new file, <filename>/etc/ssl/newcerts/01.pem</filename>, containing the same output. Copy and paste everything between the <emphasis>-----BEGIN CERTIFICATE-----</emphasis> and <emphasis>----END CERTIFICATE-----</emphasis> lines to a file named after the hostname of the server where the certificate will be installed. For example <filename>mail.example.com.crt</filename>, is a nice descriptive name.
|
|
| 2009-01-27 | ||
| 1329. |
Subsequent certificates will be named <filename>02.pem</filename>, <filename>03.pem</filename>, etc.
|
|
| 2009-01-27 | ||
| 1330. |
Replace <emphasis>mail.example.com.crt</emphasis> with your own descriptive name.
|
|
| 2009-01-27 | ||
| 1331. |
Finally, copy the new certificate to the host that needs it, and configure the appropriate applications to use it. The default location to install certificates is <filename role="directory">/etc/ssl/certs</filename>. This enables multiple services to use the same certificate without overly complicated file permissions.
|
|
| 2009-01-27 | ||
| 1332. |
For applications that can be configured to use a CA certificate, you should also copy the <filename>/etc/ssl/certs/cacert.pem</filename> file to the <filename role="directory">/etc/ssl/certs/</filename> directory on each server.
|
|
| 2009-01-27 | ||
| 1333. |
For more detailed instructions on using cryptography see the <ulink url="http://tldp.org/HOWTO/SSL-Certificates-HOWTO/index.html">SSL Certificates HOWTO</ulink> by tlpd.org
|
|
| 2008-10-15 |
For more detailed instructions on using cryptography see the <ulink url="http://tldp.org/HOWTO/SSL-Certificates-HOWTO/index.html">SSL Certificates HOWTO</ulink> by tlpd.org
|
|
| 1334. |
<ulink url="http://www.pki-page.org/">The PKI Page</ulink> contains a list of Certificate Authorities.
|
|
| 2008-10-15 |
<ulink url="http://www.pki-page.org/">The PKI Page</ulink> contains a list of Certificate Authorities.
|
|
| 1335. |
The Wikipedia <ulink url="http://en.wikipedia.org/wiki/Https">HTTPS</ulink> page has more information regarding HTTPS.
|
|
| 2008-10-15 |
The Wikipedia <ulink url="http://en.wikipedia.org/wiki/Https">HTTPS</ulink> page has more information regarding HTTPS.
|
|
| 1336. |
For more information on <emphasis>OpenSSL</emphasis> see the <ulink url="http://www.openssl.org/">OpenSSL Home Page</ulink>.
|
|
| 2008-10-15 |
For more information on <emphasis>OpenSSL</emphasis> see the <ulink url="http://www.openssl.org/">OpenSSL Home Page</ulink>.
|
|
| 1337. |
Also, O'Reilly's <ulink url="http://oreilly.com/catalog/9780596002701/">Network Security with OpenSSL</ulink> is a good in depth reference.
|
|
| 2009-01-27 | ||
| 1374. |
Remote Administration
|
|
| 2008-10-15 |
Remote Administration
|
|
| 1375. |
There are many ways to remotely administer a Linux server. This chapter will cover one of the most popular <application>SSH</application> as well as <application>eBox</application>, a web based administration framework.
|
|
| 2008-10-15 |
There are many ways to remotely administer a Linux server. This chapter will cover one of the most popular <application>SSH</application> as well as <application>eBox</application>, a Web based administration framework.
|
|
| 1383. |
The <application>openssh-server</application> package can also be selected to install during the Server Edition installation process.
|
|
| 2008-10-15 |
The <application>openssh-server</application> package can also be selected to install during the Server Edition installation process.
|
|
| 1396. |
In the <filename>/etc/ssh/sshd_config</filename> file, or if already present, ensure the line is not commented out.
|
|
| 2008-10-15 |
In the <filename>/etc/ssh/sshd_config</filename> file, or if already present, ensure the line is not commented out.
|
|
| 1399. |
In the <filename>/etc/ssh/sshd_config</filename> file.
|
|
| 2008-10-15 |
In the <filename>/etc/ssh/sshd_config</filename> file.
|
|
| 1402. |
SSH Keys
|
|
| 2008-10-15 |
SSH Keys
|
|
| 1403. |
SSH <emphasis>keys</emphasis> allow authentication between two hosts without the need of a password. SSH key authentication uses two keys a <emphasis>private</emphasis> key and a <emphasis>public</emphasis> key.
|
|
| 2008-10-15 |
SSH <emphasis>keys</emphasis> allow authentication between two hosts without the need of a password. SSH key authentication uses two keys a <emphasis>private</emphasis> key and a <emphasis>public</emphasis> key.
|
|
| 1404. |
To generate the keys, from a terminal prompt enter:
|
|
| 2008-10-15 |
To generate the keys, from a terminal prompt enter:
|
|
| 1405. |
ssh-keygen -t dsa
|
|
| 2008-10-15 |
ssh-keygen -t dsa
|
|
| 1406. |
This will generate the keys using a <emphasis>DSA</emphasis> authentication identity of the user. During the process you will be prompted for a password. Simply hit <emphasis>Enter</emphasis> when prompted to create the key.
|
|
| 2008-10-15 |
This will generate the keys using a <emphasis>DSA</emphasis> authentication identity of the user. During the process you will be prompted for a password. Simply hit <emphasis>Enter</emphasis> when prompted to create the key.
|
|
| 1411. |
You should now be able to SSH to the host without being prompted for a password.
|
|
| 2008-10-15 |
You should now be able to SSH to the host without being prompted for a password.
|
|
| 1414. |
eBox
|
|
| 2008-10-15 |
eBox
|
|
| 1416. |
The different <application>eBox</application> modules are split into different packages, allowing you to only install those necessary. One way to view the available packages is to enter the following from a terminal:
|
|
| 2008-10-15 |
The different <application>eBox</application> modules are split into different packages, allowing you to only install those necessary. One way to view the available packages is to enter the following from a terminal:
|
|
| 1417. |
apt-cache rdepends ebox | uniq
|
|
| 2008-10-15 |
apt-cache rdepends ebox | uniq
|
|
| 1418. |
To install the <application>ebox</application> package, which contains the default modules, enter the following:
|
|
| 2008-10-15 |
To install the <application>ebox</application> package, which contains the default modules, enter the following:
|
|
| 1419. |
sudo apt-get install ebox
|
|
| 2008-10-15 |
sudo apt-get install ebox
|
|
| 1420. |
During the installation you will be asked to supply a password for the ebox user. After installing eBox the web interface can be accessed from: <emphasis>https://yourserver/ebox</emphasis>.
|
|
| 2008-10-15 |
During the installation you will be asked to supply a password for the ebox user. After installing eBox the Web interface can be accessed from: <emphasis>https://yourserver/ebox</emphasis>.
|
|
| 1421. |
An important thing to remember when using <application>eBox</application> is that when configuring most modules there is a <emphasis>Change</emphasis> button that implements the new configuration. After clicking the Change button most, but not all, modules will then need to be <emphasis>Saved</emphasis>. To save the new configuration click on the <quote>Save changes</quote> link in the top right hand corner.
|
|
| 2008-10-15 |
An important thing to remember when using <application>eBox</application> is that when configuring most modules there is a <emphasis>Change</emphasis> button that implements the new configuration. After clicking the Change button most, but not all, modules will then need to be <emphasis>Saved</emphasis>. To save the new configuration click on the <quote>Save changes</quote> link in the top right hand corner.
|
|
| 1422. |
Once you make a change that requires a Save, the link will change from green to red.
|
|
| 2008-10-15 |
Once you make a change that requires a Save, the link will change from green to red.
|
|
| 1423. |
eBox Modules
|
|
| 2008-10-15 |
eBox Modules
|
|
| 1424. |
By default all eBox <emphasis>Modules</emphasis> are not enabled, and when a new module is installed it will not be automatically enabled.
|
|
| 2008-10-15 |
By default all eBox <emphasis>Modules</emphasis> are not enabled, and when a new module is installed it will not be automatically enabled.
|
|
| 1426. |
Default Modules
|
|
| 2008-10-15 |
Default Modules
|
|
| 1427. |
This section provides a quick summary of the default <application>eBox</application> modules.
|
|
| 2008-10-15 |
This section provides a quick summary of the default <application>eBox</application> modules.
|
|
| 1428. |
<emphasis>System:</emphasis> contains options allowing configuration of general eBox items.
|
|
| 2008-10-15 |
<emphasis>System:</emphasis> contains options allowing configuration of general eBox items.
|
|
| 1429. |
<emphasis>General:</emphasis> allows you to set the language, port number, and contains a change password form.
|
|
| 2008-10-15 |
<emphasis>General:</emphasis> allows you to set the language, port number, and contains a change password form.
|
|
| 1430. |
<emphasis>Disk Usage:</emphasis> displays a graph detailing information about disk usage.
|
|
| 2008-10-15 |
<emphasis>Disk Usage:</emphasis> displays a graph detailing information about disk usage.
|
|
| 1431. |
<emphasis>Backup:</emphasis> is used to backup <application>eBox</application> configuration information, and the <emphasis>Full Backup</emphasis> option allows you to save all eBox information not included in the <emphasis>Configuration</emphasis> option such as log files.
|
|
| 2008-10-15 |
<emphasis>Backup:</emphasis> is used to backup <application>eBox</application> configuration information, and the <emphasis>Full Backup</emphasis> option allows you to save all eBox information not included in the <emphasis>Configuration</emphasis> option such as log files.
|
|
| 1434. |
<emphasis>Logs:</emphasis> allows <application>eBox</application> logs to be queried depending on the purge time configured.
|
|
| 2008-10-15 |
<emphasis>Logs:</emphasis> allows <application>eBox</application> logs to be queried depending on the purge time configured.
|
|
