Ubuntu – ssl-cert package (self signed certificates) for rpm/fedora

debianfedoraredhatrpmUbuntu

In Debian/Ubuntu, my deb packages depend on the ssl-cert package, to provide some self-signed https certificates, if nothing else. From the Debian page:

This package enables unattended installs of packages that need to
create SSL certificates.

It is a simple wrapper for OpenSSL's certificate request utility that
feeds it with the correct user variables.

Is there a similar package for rpm / Fedora?

Best Answer

Turns out that installing the mod_ssl package will automatically create some self-signed certificates, with an out of the box configuration file

/etc/httpd/conf.d/ssl.conf

Works great, no need to manually create certificates. The config looks like this:

#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

Related Solutions

Redhat – Add RPM package to mrepo

I would consider not mucking with the official repositories and instead create your own. Any directory of RPMs can be turned into an RPM repository for Yum with the createrepo command. So, after you gather your RPM's in one place, run createrepo in the location:

createrepo -dp .

A ./repodata sub-directory will be created. Yum pulls the necessary metadata from this location to find the packages your client is looking for, so this entire directory will need to be exposed to the client in the same way your existing ISO based repositories are currently.

From the createrepo man page:

createrepo [options] <directory>  
-p --pretty  
    Output xml files in pretty format.  
-d --database  
    Generate sqlite databases for use with yum.

Note: I just like the "pretty" format option in case I have to get into those files and have an edit by hand.

Ubuntu SSL – Using a Self-Signed SSL Certificate for HTTPS-Based Internal APT Repository

Recently, I have encountered a similar problem. I solved it by adding SslForceVersion option.

My config is like:

Acquire::https::test.com {
    Verify-Peer "true";
    Verify-Host "true";

    CaInfo "/tmp/ca.crt";

    SslCert "/tmp/client.crt";
    SslKey  "/tmp/client.key";
    SslForceVersion "SSLv3";
};

Best Answer

Related Solutions

Redhat – Add RPM package to mrepo

Ubuntu SSL – Using a Self-Signed SSL Certificate for HTTPS-Based Internal APT Repository

Related Topic