As of today, 12 June, we are using our EPP module and fred-client certificates.They are
signed by the same CA, in our case, our own.
These scripts can help you to do that:
CA creation (if you decide to have your own):
--------------------------------------------
#!/bin/bash
openssl genrsa -des3 -out nicca.key 4096
openssl req -new -x509 -days 1095 -key nicca.key -out nicca.crt -subj
/C=<country>/L=<City>/O=<country>.NIC/OU=Registry/CN=localhost/
Certificate request and signing (the later is done by an external CA if you decide so):
#!/bin/bash
echo "Create CSR for $1"
openssl genrsa -des3 -out $1.key 4096
openssl req -new -key $1.key -out $1.csr -subj
/C=<country>/ST=<province/state>/L=<Location>/O=<country>.NIC/OU=Registry/CN=localhost/emailAddress=<your
email address>
echo "Sign certificate for $1" (you don't need this if you use an external
CA)
openssl x509 -req -days 1095 -in $1.csr -CA nicca.crt -CAkey nicca.key -set_serial 01 -out
$1.crt
echo "Generate key w/o passphrase"
openssl rsa -in $1.key -out $1.key.insecure
mv $1.key $1.key.secure
mv $1.key.insecure $1.key
The later script is used both for the EPP module and fred-client but create two
independent certificates. Algo, for fred-client you need to modify the cert field in the
registraracl table for the respective registrar so it states the FRED certificate
fingerprint. Calculate that with this:
openssl x509 -md5 -noout -in NIC-REG1.crt -fingerprint | awk 'BEGIN {FS="="}
{print $2}'
More details at
http://www.guerra.co.cr/ (Certificate management using FRED).
Any comment is welcome.
--
Mario Guerra <mguerra(a)nic.cr>