Mirror of the Rel4tion website/wiki source, view at <http://rel4tion.org>
Clone
HTTPS:
git clone https://vervis.peers.community/repos/yEzqv
SSH:
git clone USERNAME@vervis.peers.community:yEzqv
Branches
Tags
Exporting_the_Files.mdwn
In order to use the certificate to authenticate a web service, it needs to be exported from TinyCA and copied to a location where your server can find it. To be more precise, the files we’ll export are:
- CA certificate: This file can (and should) be made public safely. Clients will need to have it installed in order for their software to trust the certificates signed by your CA.
- Revocation list: This file should be made available at the address you specified while configuring the CA. It will allow you later to revoke signatures, e.g. if a certificate was misused.
- Server certificate: This file can be safely made public, but you don’t need to send it to clients. It is one of the files you’ll need to make available to the servers you run, in order for them to work with SSL.
- Server key: This file IS PRIVATE. Protect it with proper permissions! Make it read-only, and preferrably owned by root. Some servers (such as lighttpd) access it while being root, so
chmod 400
andchown root:root
is the best thing to do, when possible. It depends on the implementation of each server. The server key needs to be available to the server together with the server certificate.
Another commonly used file is the CA chain file, but it is only required when you use sub-CAs. Since in our setup there aren’t any, and the root CA signs the server certificates directly, no chain file is needed.
Let’s export the CA certificate. In the main window of TinyCA, click the “Export CA Certificate” toolbar button, which is the second from the right (or left, if you use an RTL locale). Choose a location to export to. Example:
[[!img 6-export-ca-cert.png class=“center”]]
In order to export the revocation list, click the right most button (or left most, if you use an RTL locale) on the toolbar. Choose a location, enter the CA password and validity time. You can probably use the default for now, but I’m not an expert. If you need advice on expiration times, I hope other resources can help. If you do know, please share it here if you can, to make this guide more complete.
[[!img 7-export-crl.png class=“center”]]
In order to export the server certificate, go to the Certificates tab and right-click on the certificate line. Choose “Export Certificate” from the popup menu.
[[!img 8.1-export-cert-menu.png class=“center”]]
Choose a storage location and click “Save”.
[[!img 8.2-export-cert-filled-nokey.png class=“center”]]
Finally, in order to export the server key, go to the Keys tab. Right-click on the key line and select “Export Key”.
[[!img 9.1-export-key-menu.png class=“center”]]
Choose a storage location. Set “Without Passphrase” to yes, otherwise you’ll need to supply the key passphrase every time you start the web server. Click “Save”. You will be asked for the certificate passphrase.
[[!img 9.2-export-key-filled-nocert.png class=“center”]]