Using SSL (Diff)

Wed Jan 28 22:38:49 CET 2009, glenda

Programs that use ssl (i was setting this up for tlssrv) need a certificate and a corresponding key to be able to encrypt their connections. The key is secret, and should only be stored in bootes' secstore, loaded at boot into his factotum.

1, FIRST, TO GENERATE AN SSL KEY, DO THESE STEPS AS BOOTES:

ramfs
cd /tmp
auth/rsagen -t 'service=tls role=client owner=*' > key

Then from this key, we generate a certificate, that's public:

auth/rsa2x509 'C=FR CN=*.fakedom.dom' key | auth/pemencode CERTIFICATE > /sys/lib/tls/cert

Where FR is a two-digit country code, and fakedom.dom is your domain.

auth/secstore -g factotum

To get bootes' factotum file from the secstore

cat key >> factotum

To add the ssl key to the factotum, optionally, you can also add it to his running factotum:

cat key >> /mnt/factotum/ctl

Then store the modified factotum file in the secstore:

auth/secstore -p factotum

2, TO BE SURE THE KEY GETS LOADED AT BOOT TIME

you should be sure to start a factotum before the listen process is started in /rc/bin/cpurc ot termrc, and that the keys do get loaded from the secstore. If you are not sure, you can check by rebooting, then, as hostowner, from the phisical machine do:

cat /mnt/factotum/ctl

Should show a key with proto=rsa service=tls role=client.

3, TO LOAD THE KEY AT BOOT FROM BOOTES' SECSTORE

with the secstore key in the nvram, you can do this:

If you are not sure bootes' secstore key is in nvram, you can make sure by doing

auth/wrkey

This will prompt for authid (usually bootes), authdom, secstore key and bootes' password.

Then, to load the factotum file from secstore to the running factotum, add this to /rc/bin/cpurc or termrc:

auth/secstore -n -G factotum >> /mnt/factotum/ctl

Then, to check whether it's loaded retry step 2.

Using SSL -Diff-

1, FIRST, TO GENERATE AN SSL KEY, DO THESE STEPS AS BOOTES:

2, TO BE SURE THE KEY GETS LOADED AT BOOT TIME

3, TO LOAD THE KEY AT BOOT FROM BOOTES' SECSTORE