Sunday, July 4, 2010

Self-Signed SSL Certificates

So you'd think there are enough blog posts about this already. Well, think again, since this particular summary is what actually ended up working for me. Obviously your mileage may vary.

  1. openssl genrsa 1024 > host.key
  2. openssl req -new -key host.key -out host.csr
  3. openssl x509 -req -days 730 -in host.csr -signkey host.key -out host.crt

Of course that's what everybody has, so why write about this? Three reasons:

  • Make sure you chmod 400 host.key since you don't want anybody to see that.
  • Using lighttpd? Do a cat host.key host.crt > host.pem and chmod 400 that as well.
  • The "Common Name" you have to enter in step 2. If you have various subdomains like www.example.com and mail.example.com and so on, you don't want to enter "example.com" here. Instead you'd enter something globtastic like "*.example.com". But wait, that doesn't match just plain example.com anymore! Better use "*example.com" and wow, that actually works.

An Internet. Wow! It's so pretty... Who would've thunk? :-D

Program like it's 1975?

Looking through various proxies and caches (don't ask why) I ran across Varnish and was struck by a short piece one of their developers wrote in 2006. Let me quote a line or two (emphasis mine):

Take Squid for instance, a 1975 program if I ever saw one: You tell it how much RAM it can use and how much disk it can use. It will then spend inordinate amounts of time keeping track of what HTTP objects are in RAM and which are on disk and it will move them forth and back depending on traffic patterns. Well, today computers really only have one kind of storage, and it is usually some sort of disk, the operating system and the virtual memory management hardware has converted the RAM to a cache for the disk storage.

You should read the whole thing, it's a nice summary of technological changes that still haven't made it into everyone's head. I feel guilty myself: I recently taught our OS course, but I don't think I ever made this sufficiently clear when we talked about virtual memory. I'll try to add a relevant assignment to the Unix course next semester... :-D