A large deployment of SSL certificates and private keys must be managed and doing so taxes an organization's time and resources. Managing multiple SSL certificates with differing expiration dates issued by different times requires the timely administration and management.
Utilites buildcert augments your certificate management initiatives by monitoring all SSL certificates deployed across your network and automating a number of key processes:
The complex ipset-ng solution centrally controls certificate provisioning and can be tailored to work with your organization's existing certificates.
#/usr/bin/buildcert.sh This is part from ipset-ng access system Generate SSL certificates and key usage create: ./buildcert.sh [ --server-ng | --client-ng ] [ IP address ] usage revoke: ./buildcert.sh [ --delete-ng | --undelete-ng ] [ serial num certificate ] usage update: ./buildcert.sh [ --updatecrl-ng ] usage list: ./buildcert.sh [ --list-ng ]
Manual create CA root and server certificates. Normally, this certificates and key automatic generation if compile ipset-ng server part.
If you have a desire to re-form the root and server certificates, you first need to remove the previous certificates and keys.
Run the following command:
rm -fr /etc/ipset-ng/ssl
after, follow these steps:
This command creates a new directory that will generate certificates and keys for the root certificate, and the server certificate and keys.
Server certificates a location and name:
So as created the first client certificate without reference to the IP address, it can be used on the same computer.
To create a client certificate with reference to the IP address, run the following command:
./buildcert.sh --client-ng 126.96.36.199
Thus we create a client certificate is bound to IP address 188.8.131.52 the certificate and the key is the path
/etc/ipset-ng/ssl and has a name:
CA root certificates a name:
To delete a client certificate, you must know the serial number, see the certificate numbers with reference to the IP address, it is possible using the following command:
Now we know the serial number of the client certificate, suppose the number 02.
Delete (revoke) a client certificate may issue the following command:
./buildcert.sh --delete-ng 02
Recover deleted client certificate may issue the following command:
./buildcert.sh --undelete-ng 02
CRL (revoke list) requires through periodic updates.
Refresh rate is specified in the OpenSSL configuration file
/etc/ipset-ng/ssl/sslserver.config, and is defined by parameter
In the access control system ipset-ng this period composes
7 days, you can change it at their own discretion.
Update the CRL file with the following command:
For automatic updates, it is reasonable to put this command in cron service:
crontab <ipset-ng-src-dir>/misc/startup/updatecrl.cron // command in file updatecrl.cron // 59 23 * * 0 /usr/bin/buildcert.sh --updatecrl-ng
And check installation to cron services, type:
Or use the automatic update feature CRL file, allowing directive in configuration file sslcrlauto to value yes.
|Meta Tags: SSL utilites buildcert|