Using SSL -Diff-


Wed Jan 28 16:38:49 EST 2009, glenda

Programs that use ssl (i was setting this up for tlssrv) need a certificate and a corresponding key to be able to encrypt their connections. The key is secret, and should only be stored in bootes' secstore, loaded at boot into his factotum.

1, FIRST, TO GENERATE AN SSL KEY, DO THESE STEPS AS BOOTES:

ramfs
cd /tmp
auth/rsagen -t 'service=tls role=client owner=*' > key
Then from this key, we generate a certificate, that's public:
auth/rsa2x509 'C=FR CN=*.fakedom.dom' key | auth/pemencode CERTIFICATE > /sys/lib/tls/cert
Where FR is a two-digit country code, and fakedom.dom is your domain.
auth/secstore -g factotum
To get bootes' factotum file from the secstore
cat key >> factotum
To add the ssl key to the factotum, optionally, you can also add it to his running factotum:
cat key >> /mnt/factotum/ctl
Then store the modified factotum file in the secstore:
auth/secstore -p factotum

2, TO BE SURE THE KEY GETS LOADED AT BOOT TIME

you should be sure to start a factotum before the listen process is started in /rc/bin/cpurc ot termrc, and that the keys do get loaded from the secstore. If you are not sure, you can check by rebooting, then, as hostowner, from the phisical machine do:

cat /mnt/factotum/ctl
Should show a key with proto=rsa service=tls role=client.

3, TO LOAD THE KEY AT BOOT FROM BOOTES' SECSTORE

with the secstore key in the nvram, you can do this:

If you are not sure bootes' secstore key is in nvram, you can make sure by doing

auth/wrkey
This will prompt for authid (usually bootes), authdom, secstore key and bootes' password.

Then, to load the factotum file from secstore to the running factotum, add this to /rc/bin/cpurc or termrc:

auth/secstore -n -G factotum >> /mnt/factotum/ctl
Then, to check whether it's loaded retry step 2.