{host}/> openssl genrsa -out my-ftp.privatekey 2048 Generating RSA private key, 2048 bit long modulus ..............................................................+++ .......................................................+++ e is 65537 (0x10001) {host}/> file my-ftp.privatekey my-ftp.privatekey: ascii text {host}/> cat !$ cat my-ftp.privatekey -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEArDW1k2O0OOZfrt0KHSof0Mk/qmwtl9BlbNwHGoPmugsIOSGo ... some lines ... I1bk1L+oYzxU5QNO2jlOtcmG2eD9FQP8WNYHBUKDMK0Dc78Sc58p -----END RSA PRIVATE KEY----- |
{host}/> openssl req -new -key my-ftp.privatekey -out my-ftp.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:San Francisco Organization Name (eg, company) [Unconfigured OpenSSL Installation]:MyCompanyHere Organizational Unit Name (eg, section) []:UNIXTEAM Common Name (eg, YOUR name) []:ftp.mycompanyhere.com ========> must match the FQDN of the server! Email Address []:xxx@mycompanyhere.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: {host}/> cat my-ftp.csr -----BEGIN CERTIFICATE REQUEST----- MIIC8TCCAdkCAQAwgasxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh ... some lines ... 16cND6b9cKvNfc/BGYXCBoLbPAj+Rwv/23AGlTimXMf8/8Agjw== -----END CERTIFICATE REQUEST----- |
{host}/> openssl req -text -noout -verify -in my-ftp.csr verify OK Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=California, L=San Francisco, O=MyCompanyHere, OU=UNIXTEAM, CN=ftp.mycompanyhere.com/emailAddress=xxx@mycompanyhere.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:ac:35:b5:93:63:b4:38:e6:5f:ae:dd:0a:1d:2a: 1f:d0:c9:3f:aa:6c:2d:97:d0:65:6c:dc:07:1a:83: e6:ba:0b:08:39:21:a8:bd:c2:e6:b9:06:07:4c:53: 33:5c:bf:6a:7d:76:06:4a:2d:0f:ba:28:fe:28:c1: 25:77:79:5d:47:1b:bd:48:c9:d4:04:43:5c:d0:4a: 42:d4:74:e8:71:80:f3:73:7d:82:14:da:14:e1:1a: ad:e3:fd:c5:c2:c0:e8:4b:0f:a1:5f:84:2f:28:43: 1c:f9:89:38:e6:20:b1:bb:c4:b9:4a:47:8a:c1:88: 43:41:12:a9:15:f7:70:6c:71:e7:d0:ec:d8:51:87: 20:b7:68:64:3a:70:b3:fb:9a:8d:89:66:0d:e3:a0: 39:5f:20:46:f1:58:7e:89:26:1f:b4:c0:45:69:0a: 67:63:e7:64:ff:c1:1c:f8:dc:46:b3:ad:60:1f:b5: c5:c2:26:aa:5d:c9:cc:83:47:c6:1b:1a:ef:fb:d5: a9:a6:24:ea:36:da:7e:1f:c1:30:c2:89:8b:fc:eb: ae:91:cf:40:75:a9:c0:fa:90:ef:cd:e4:47:24:16: 3f:13:8c:f3:e6:25:09:28:02:86:3e:95:82:18:1c: 60:56:6b:22:22:10:f5:99:a5:17:1e:05:1f:00:03: 40:7f Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: md5WithRSAEncryption 9d:7e:3a:19:a5:65:28:ab:eb:fa:80:19:73:d8:4e:af:67:79: 26:7d:9b:44:4f:44:e3:5a:2b:a6:2b:92:69:24:39:a1:74:8e: 64:c1:a6:26:82:e2:19:aa:d9:2f:c9:68:da:04:df:fe:88:5c: 4e:2c:c6:f9:83:cc:56:cf:31:b1:78:79:b4:81:70:3f:08:71: ad:36:33:d2:d2:df:90:1e:cc:d3:5d:db:da:7d:7b:fb:de:a6: 71:79:fc:c4:23:37:ab:fc:c6:65:99:3e:d2:ac:76:ea:be:5e: 13:9e:3a:66:c8:31:58:f2:31:45:08:2a:34:a2:ab:dc:17:96: 61:d3:90:ab:89:d0:7d:0c:f8:05:38:07:08:7e:9b:dc:9f:ce: 9c:a2:0e:a3:69:31:f3:2f:9a:c9:bb:4e:4b:6b:04:e3:73:6f: 40:87:e2:5f:58:1d:ed:1d:44:c4:b0:39:3c:2a:97:0f:4c:e0: a9:78:fe:5b:cd:7d:15:d2:cc:11:cd:b4:aa:a4:c1:5b:b4:51: f0:b7:19:67:1f:29:5d:e3:03:b7:d8:7a:53:91:36:3e:65:aa: cf:17:a0:d7:a7:0d:0f:a6:fd:70:ab:cd:7d:cf:c1:19:85:c2: 06:82:db:3c:08:fe:47:0b:ff:db:70:06:95:38:a6:5c:c7:fc: ff:c0:20:8f |
-----BEGIN CERTIFICATE----- MIIGnzCCBYegAwIBAgIQdbAkt9gKbn49Ttt62rr/sjANBgkqhkiG9w0BAQUFADCB vjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ... some lines ... Z6JNJ2dEHahl3SEIlX94QprxefE76v442yyrS5jxZAPFQdtOY+NkOil3FL9VL/S/ HKvDIYqhYoP9xHM6jPcE5MhWPg== -----END CERTIFICATE----- |
<IfModule mod_tls.c> TLSEngine on TLSLog /var/log/proftpd/tls.log # what protocol to support TLSProtocol SSLv23 # Are clients required to use FTP over TLS when talking to this server? TLSRequired off # server's certificate TLSRSACertificateFile /opt/csw/etc/my-ftp.crt TLSRSACertificateKeyFile /opt/csw/etc/my-ftp.privatekey # CA the server trusts # The TLSCertificateChainFile directive sets the optional all-in-one file # where you can assemble the certificates of CA which form the certificate chain # of the server certificate. This starts with the issuing CA certificate of # the server certificate and can range up to the root CA certificate TLSCertificateChainFile /opt/csw/etc/chain.crt # Authenticate clients that want to use FTP over TLS? TLSVerifyClient off # Allow SSL/TLS renegotiations when the client requests them, but # do not force the renegotations. Some clients do not support # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these # clients will close the data connection, or there will be a timeout # on an idle data connection. TLSRenegotiate required off </IfModule> |