# Server (make-ssl)

This directory contains a Makefile and a ssl.conf file to help you
create private keys and certificate requests for server keys. Although
this has been created to complement the MAKE-SSL/server-ca package, it
can be used independently.

### Configuring.

The configuration is done by editing the files Makefile.configure and
ssl.conf. What each variables does and possible settings are described
in the comments of these file itself. Here is what you will find in
each of these files.


1. Makefile.configure: The main this that you configure here are
   commands to restart the server and any pre key generation step. You
   can also configure various parameters of the key, like number of
   bits, key type etc but the default parameters should be good
   enough. See the file itself for more details.

2. ssl.conf: Primarily the subject name and hostnames.

### Creating keys and request.

1. Create the private key and certificate request using the command

        $ make key

2. Get the request.pem certified.

3. Configure the server to use the private key and certificates.


### Standard targets


    $ make key         # to generate key and request
    $ make expire      # to expire old keys
    $ make obliterate  # Cleans up stuff (used only while testing).

    $ make help	       	 	# short help on help
    $ make help target=TARGET	# A small help on the target TARGET
    $ make show info=request     # Shows the details of the request
    $ make show info=certificate # Shows the details of the certificate
    $ make show info=fingerprint # Shows the finger print of the certificates

The above steps will usually suffice, however, if you want to do
something fancier, read on.

---------------------------------------------------------------------

### A brief description of the generated files

* private.pem  : The private key.
* request.pem  : The certificate request for the key in private.key.
* dsa.param    : The DSA parameters for the key in private.key (Generate only
                 for DSA keys).
* dh.param : DH-parameter file for forward security in servers.


### Keys for multiple hostnames.

Sometimes a single key is used for many server, for example smtp and
smtprelay might be the same server. In this case one needs the key to
have multiple hostnames. Edit the <code> [ host_names ] </code>
section of the file <code> ssl.conf </code> (relevant documentation is
available there).

### Generating keys with passphrase

Typically server keys are not encrypted. This is not such a bad idea
provided the server private keys are unreadable to normal users. If
you are paranoid, which you should be, it is good to keep the server
keys encrypted.  However this means that whenever the server has to be
restarted the passphrase has to be provided.  Set the variable
<code>KEY_ENCRYPT</code> to appropriate value in Makefile.configure
for this (See also the section on configuring).

### Cleanup (Warning use only while testing)

    $ make obliterate

This gets rid of all keys, certificate request and self signed
certificates.  If you obliterate your already certified key you will
have to generate a new key and get it certified.