More expansive description of how we create CA keys/certs and httpd-server
keys/cert-reqs/certs:
------------------------------------------------------------------------------

XXX Needs to be updated XXX

Create two files from the template below (rhn-ca-openssl.cnf and
rhn-server-openssl.cnf). We do this so that we can have differing
C/ST/L/O/OU/CN/emailAddress in the "[ req_distinguished_name ]" sections
and slightly different "[ usr_cert ]" sections:

"""
# rhn-*-openssl.cnf
#---------------------------------------------------------------------------
# RHN Management {Satellite,Proxy} autogenerated openSSL configuration file.
#---------------------------------------------------------------------------

[ ca ]
default_ca              = CA_default

[ CA_default ]
default_bits            = 2048
x509_extensions         = usr_cert
database                = index.txt
serial                  = serial

# how closely we follow policy
policy                  = policy_optional

# for the CA policy
[ policy_match ]
countryName             = optional
stateOrProvinceName     = optional
organizationName        = match
organizationalUnitName  = optional
commonName              = optional
emailAddress            = optional

[ policy_optional ]
countryName             = optional
stateOrProvinceName     = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = optional
emailAddress            = optional

#---------------------------------------------------------------------------

[ req ]
default_bits            = 2048
distinguished_name      = req_distinguished_name
prompt                  = no
x509_extensions         = usr_cert

[ req_distinguished_name ]
C                       = %s
ST                      = %s
L                       = %s
O                       = %s
OU                      = %s
CN                      = %s
emailAddress            = %s

[ usr_cert ]
basicConstraints = %s
keyUsage = digitalSignature, keyEncipherment, keyCertSign

extendedKeyUsage = serverAuth, clientAuth
#nsCertType = server

# PKIX recommendations harmless if included in all certificates.
nsComment               = "RHN SSL Tool Generated Certificate"
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid, issuer:always
#===========================================================================
"""

<config file string substitution notes>
NOTE on "[ req_distinguished_name ]" section (all except C are optional):
C  = country code
ST = province name (or state)
L  = locality (or city)
O  = org name
OU = org unit
CN = common name (hostname usually)
emailAddress = email address

NOTE on "[ usr_cert ]" section for rhn-ca-openssl.cnf:
basicConstraints = CA:true
keyUsage = digitalSignature, keyEncipherment, keyCertSign

NOTE on "[ usr_cert ]" section for rhn-server-openssl.cnf:
basicConstraints = CA:false
keyUsage = digitalSignature, keyEncipherment
</config file string substitution notes>


Notes on key and cert names:
----------------------------
CA certificate = RHN-ORG-TRUSTED-SSL-CERT
CA private key = RHN-ORG-PRIVATE-SSL-KEY

httpd Server Key = server.key
httpd Server Cert Request = server.csr
httpd Server Cert = server.crt


Generate CA:
------------
openssl genrsa -passout pass:PASSWORD -des3 -out RHN-ORG-PRIVATE-SSL-KEY 2048

Generate Public CA Certificate (a self-signed CA certificate):
---------------------------------------------------------------
DAYS = 3650 (10 years)
openssl req -passin pass:<PASSWORD> -text -config rhn-ca-openssl.cnf -new \
            -x509 -days <DAYS> -sha1 -key RHN-ORG-PRIVATE-SSL-KEY \
            -out RHN-ORG-TRUSTED-SSL-CERT

Generate Server Key:
--------------------
openssl genrsa -out server.key 2048

Generate Server Certificate Request:
------------------------------------
openssl req -sha1 -text -config rhn-server-openssl.cnf -new -key server.key \
            -out server.csr

Generate the Server Certificate (signed by CA):
-----------------------------------------------
if serial file does not exist:
    echo "01" > serial
NOTE: the serial number & signature combination of the CA cert and the
      server.crt should not match (we make every attempt to ensure this).

We are not so concerned with serial number/signature matches for multiple
server certs (managed by the index.txt file):
echo -n > index.txt

STARTDATE = 1 week ago  (format: YYMMDDHHMMSSZ)
DAYS = 365 (1 year)
openssl ca -config rhn-ca-openssl.cnf -in server.csr -out server.crt \
           -outdir ./ -batch -cert RHN-ORG-TRUSTED-SSL-CERT \
           -keyfile RHN-ORG-PRIVATE-SSL-KEY -startdate <STARTDATE> \
           -days <DAYS> -md sha1 -policy policy_optional -passin pass:PASSWORD

Build the RPMs:
---------------
This one is installed on the RHN server (satellite/proxy):
rhn-org-httpd-ssl-key-pair<-MACHINENAME>-VERSION-RELEASE:
  /etc/apache2/ssl.crt/spacewalk.crt
  /etc/apache2/ssl.key/spacewalk.key

This one is used by XMLRPC clients to talk to RHN servers (satellite/proxy):
rhn-org-trusted-ssl-cert-VERSION-RELEASE:
  /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT


How to test an SSL connection with a CA cert:
---------------------------------------------
For AS 2.1 (or stunnel <v4.0):
/usr/sbin/stunnel -r SERVER_HOSTNAME:443 -cf -v 2 -A THE_CA_CERTIFICATEE

For RHEL 3 (or stunnel >=v4.0):
(1) create rhn-stunnel.cfg:
CAfile = CA_CERTIFICATE
client = yes
connect = SERVER_HOSTNAME:443
foreground = yes
verify = 2
(2) use stunnel using configuration file:
/usr/sbin/stunnel rhn-stunnel.cfg

OpenSSL test client (though hard to decypher):
openssl s_client -connect SERVER_HOSTNAME:443 -CAfile THE_CA_CERTIFICATE

And to see the remote server's validity window:
openssl s_client -connect SERVER_HOSTNAME:443 -showcerts | openssl x509 \
  -dates -noout


Alternative Server key and cert generation (with a password):
-------------------------------------------------------------
(Don't actually do this. This is for reference only)
Key: openssl genrsa -passout pass:PASSWORD -des3 -out server.key 2048
Cert req: openssl req -sha1 -passin pass:PASSWORD \
                      -config rhn-server-openssl.cnf \
                      -new -key server.key -out server.csr


