I have done this, according to http://www.tc.umn.edu/~brams006/selfsign.html, part 1B (generating your own CA):
a) create a CA authority (ca.key and ca.crt)
b) make a certificate request (server.csr)
c) sign the certificate request (server.crt and server.key) with the new CA authority
d) change the server key so it does not ask for a passphrase.
Afterwards, the server.crt and server.key files are included in /usr/share/fred-client/ssl directory, and the fred-client configuration file is modified like this:
ssl_cert = %(dir)s/server.crt
ssl_key = %(dir)s/server.key
Now, if I try to run fred-client this is the result:
ERROR: socket.sslerror: [Errno 1] _ssl.c:480: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (200.107.82.18:700)
Certificate not signed by verified certificate authority
What should I do for fred-client to identify these certificates as valid?.
Thanks in advance.
Note: the new fred-client is perfectly compatible with FRED 2.2.
--
Mario Guerra <mguerra(a)nic.cr>
Hi,
CZ.NIC will host next ICANN meeting in Prague in June 24-29 this year -
http://prague44.icann.org/ and http://www.icannprague.cz/
I had an idea to do one day workshop for FRED prior to this meeting on
Sunday 24 if there will be some demand. Topics would cover:
- features, architecture, component description
- installation procedure
- basic configuration - adding zone, adding registrar,...
- place for questions.
The workshop would be in our offices where we have small educational
room for 20 people. Please let me know if you would like to participate
in this activity, we have five weeks to arrange it.
Regards,
Jaromir
--
Jaromir Talir
technicky reditel / Chief Technical Officer
-------------------------------------------
CZ.NIC, z.s.p.o. -- .cz domain registry
Americka 23, 120 00 Praha 2, Czech Republic
mailto:jaromir.talir@nic.cz http://nic.cz/
sip:jaromir.talir@nic.cz tel:+420.222745107
mob:+420.739632712 fax:+420.222745112
-------------------------------------------
Anyone tried to install the 2.11!?
I am getting sql/epp_login.sql: No such file or directory on the fred-db* package
fred-db-2.11.0 # make
./orderedsql.sh > structure.sql
cat: ./sql/epp_login.sql: No such file or directory
Regards,
A
As of today, 12 June, we are using our EPP module and fred-client certificates.They are signed by the same CA, in our case, our own.
These scripts can help you to do that:
CA creation (if you decide to have your own):
--------------------------------------------
#!/bin/bash
openssl genrsa -des3 -out nicca.key 4096
openssl req -new -x509 -days 1095 -key nicca.key -out nicca.crt -subj /C=<country>/L=<City>/O=<country>.NIC/OU=Registry/CN=localhost/
Certificate request and signing (the later is done by an external CA if you decide so):
#!/bin/bash
echo "Create CSR for $1"
openssl genrsa -des3 -out $1.key 4096
openssl req -new -key $1.key -out $1.csr -subj /C=<country>/ST=<province/state>/L=<Location>/O=<country>.NIC/OU=Registry/CN=localhost/emailAddress=<your email address>
echo "Sign certificate for $1" (you don't need this if you use an external CA)
openssl x509 -req -days 1095 -in $1.csr -CA nicca.crt -CAkey nicca.key -set_serial 01 -out $1.crt
echo "Generate key w/o passphrase"
openssl rsa -in $1.key -out $1.key.insecure
mv $1.key $1.key.secure
mv $1.key.insecure $1.key
The later script is used both for the EPP module and fred-client but create two independent certificates. Algo, for fred-client you need to modify the cert field in the registraracl table for the respective registrar so it states the FRED certificate fingerprint. Calculate that with this:
openssl x509 -md5 -noout -in NIC-REG1.crt -fingerprint | awk 'BEGIN {FS="="} {print $2}'
More details at http://www.guerra.co.cr/ (Certificate management using FRED).
Any comment is welcome.
--
Mario Guerra <mguerra(a)nic.cr>
