#!/usr/bin/perl
use strict;
use esmith::util;
use esmith::ConfigDB;
use esmith::DomainsDB;
my $config = esmith::ConfigDB->open;
my $domainsdb = esmith::DomainsDB->open_ro;
my $domain = $config->get('DomainName')->value;
my %domain_names = map { $_->{key} => 1 } grep { $_->key ne $domain } $domainsdb->domains;
my @domains = ($domain, keys %domain_names);
open(CONFIG, ">$domains[0].config") or die "Can't open openssl config file: $!";
print CONFIG "HOME = .\nRANDFILE = \$ENV::HOME/.rnd\n\n";
print CONFIG "[ req ]\ndefault_bits = 1024\ndistinguished_name = req_distinguished_name\n";
print CONFIG "req_extensions = v3_req\nprompt = no\n\n";
print CONFIG "[ req_distinguished_name ]\nCN = $domains[0]\n\n";
print CONFIG "[ v3_req ]\nbasicConstraints = CA:FALSE\nkeyUsage = nonRepudiation,digitalSignature,keyEncipherment\n";
print CONFIG "subjectAltName = critical,", join ",", map { "DNS:$_,DNS:*.$_" } @domains;
print CONFIG "\n";
close(CONFIG) or die "Closing openssl config file reported: $!";
unless ( -f "$domains[0].key" )
{
open(KEY, ">$domains[0].key") or die "Can't open key file: $!";
unless (open(SSL,"-|"))
{
exec("/usr/bin/openssl",
qw(genrsa -rand),
join(':',
qw(
/proc/apm
/proc/cpuinfo
/proc/dma
/proc/filesystems
/proc/interrupts
/proc/ioports
/proc/bus/pci/devices
/proc/rtc
/proc/uptime
)),
'1024')
|| die "can't exec program: $!";
}
while (<SSL>)
{
print KEY $_;
}
close(SSL) or die "Closing openssl pipe reported: $!";
close(KEY) or die "Closing key file reported: $!";
}
open(CSR, ">$domains[0].csr") or die "Can't open csr $!";
unless (open(SSL,"-|"))
{
exec("/usr/bin/openssl",
qw(req -config), "$domains[0].config",
qw(-new -key), "$domains[0].key",
qw(-days 730 -set_serial), time())
|| die "can't exec program: $!";
}
while (<SSL>)
{
print CSR $_;
}
close(SSL) or die "Closing openssl pipe reported: $!";
close(CSR) or die "Closing csr file reported: $!";
As root do the following:
# mkdir ~/cacert
# cd ~/cacert
** download the above code and store it in ~/cacert/cacert_csr_request
# chmod u+x cacert_csr_request
# ./cacert_csr_request
# cat {domain}.csr
** paste the output into the cacert.org website and get your certificate. Save this in ~/cacert/{domain}.crt
# cp {domain}.crt /home/e-smith/ssl.crt/{domain}.crt
# cp {domain}.key /home/e-smith/ssl.key/{domain}.key
# config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
# config setprop modSSL key /home/e-smith/ssl.key/{domain}.key
# signal-event console-save
You will need to replace {domain} above with your primary domain name. Also you will need to have all domains registered with your cacert.org account. This will create a certificate that includes all domains that exists on your sme box as both simple domain.com and wildcard *.domain.com.
Once you have created/installed this certificate then if the client has the cacert.org root certificate installed then they should be able to go to any domain on your box and not get a warning.