linux Tag: linux

Before you can install a Secure Socket Layer (SSL) certificate, you must first generate a certificate signing request (CSR).

OpenSSL

The following sections describe how to use OpenSSL to generate a CSR for a single host name.

Install OpenSSL

Check whether OpenSSL is installed by using the following command:

CentOS® and Red Hat® Enterprise Linux®

rpm -qa | grep -i openssl

The following output provides an example of what the command returns:

openssl-1.0.1e-48.el6_8.1.x86_64
openssl-devel-1.0.1e-48.el6_8.1.x86_64
openssl-1.0.1e-48.el6_8.1.i686

Debian® and Ubuntu®

dpkg -l | grep openssl

The following output provides an example of what the command returns:

ii  libgnutls-openssl27:amd64           2.12.23-12ubuntu2.4              amd64        GNU TLS library - OpenSSL wrapper

ii  openssl                             1.0.1f-1ubuntu2.16               amd64        Secure Sockets Layer toolkit - cryptographic utility

If the preceding packages are not returned, install OpenSSL by running the following command:

CentOS and Red Hat

yum install openssl openssl-devel

Debian and Ubuntu

apt-get install openssl

Generate the RSA key

Run the following commands to create a directory in which to store your RSA key, substituting a directory name of your choice:

mkdir ~/domain.com.ssl/
cd ~/domain.com.ssl/

Run the following command to generate a private key:

openssl genrsa -out ~/domain.com.ssl/domain.com.key 2048

Create a CSR

Run the following command to create a CSR with the RSA private key (output is in Privacy-Enhanced Mail (PEM) format):

openssl req -new -sha256 -key ~/domain.com.ssl/domain.com.key -out ~/domain.com.ssl/domain.com.csr

When prompted, enter the necessary information for creating a CSR by using the conventions shown in the following table.

Field	Meaning	Example
/C=	Country	NL
/ST=	State	Noord-Holland
/L=	Location	Amstelveen
/O=	Organization	Swatantra Inc.
/OU=	Organizational Unit	Swatantra Solutions
/CN=	Common Name	example.domain.com

Verify your CSR

Run the following command to verify your CSR:

openssl req -noout -text -in ~/domain.com.ssl/domain.com.csr

After you have verified your CSR, you can submit it to a CA to purchase an SSL certificate.

'Coz sharing is caring

In Hyper-V virtualization, a guest virtual machine has something called “Integration Services.” By default, all of these services are pretty much enabled, including time synchronization. However, this can cause big issues if you have virtual Domain Controllers, and your physical host servers are not getting their time from a common, reliable source, such as an external NTP server like 0.us.pool.ntp.org, 1.nl.pool.ntp.org, etc.

In particular, if a virtual host is running a guest Domain Controller (DC), then the DC will be getting its time from the clock of the physical Hyper-V server at start-up.

Keep only one time authority

There should be only one time authority on the network, which in turn should be synchronized with a reliable NTP server. Hencem, we up our virtual Domain Controller (DC01) to sync with an outside NTP server, and then set other DC02 to refer to the primary DC only.

To see what our server (DC01/DC02) is using as it’s time authority use:

C:\>w32tm /query /source

Disable time synchronization for both Domain Controller VM’s

Hyper-V Manager > Virtual Machine > Settings > Integration Services:

Set time sync for your Domain Controllers

Next, on your DC01, reset the time authority. Microsoft offers a fix that helps you set an external time source such as “0.us.pool.ntp.org” .

C:\>w32tm /config /syncfromflags:manual /manualpeerlist:"0.us.pool.ntp.org 1.nl.pool.ntp.org" /reliable:yes /update

C:\>Net stop w32time

C:\>Net start w32time

C:\>w32tm /resync /force

Set Hyper-V physical servers to sync time to domain controllers (DC01/DC02)

Take Remote desktop connection to Hyper-V serves (HV01/HV02)

C:\>w32tm /config /syncfromflags:manual /manualpeerlist:"DC01.swatantra.info DC02.swatantra.info" /reliable:yes /update
The command completed successfully.

C:\>Net stop w32time
The Windows Time service is stopping.
The Windows Time service was stopped successfully.

C:\>Net start w32time
The Windows Time service is starting.The Windows Time service was started successfully.

C:\>w32tm /resync /force
Sending resync command to local computerThe command completed successfully.