TCS ServerCert

Usage
With this script, you can generate a certificate request that you can submit manually to Terena TCS service. For Hungary, you should be able to use the following URL: http://www.ca.niif.hu/hu/ca_request, but at the time of writing, it doesn't let the subjecAltNames through. Instead, you should use the institution-specific request forms:
 * NIIF
 * BME

It's possible to use multiple SubjectAltName -s in the request, such as for  and.

This script creates the following files in your current working directory:
 * (private key)
 * (certificate request)

Program code
You may need to adjust the OpenSSL template starting around line 44. You almost certainly want to change the DN parameters starting around line 54.


 * The program code may need serious cleanup, sorry, I'd no time for this. It's a quick&dirty solution, provided simply for your comfort. It also does not check the user input.

Retrieve issued certificate (and chain)
Save the following code as  at the same directory you'd saved the Perl code. This script saves the issued certificate and certificate chain as
 * (certificate)
 * (certificate chain)

You need to copy the URL that's sent to you by Comodo in the 'certificate issued' mail.

Apache config
This is how you can instruct Apache to use the new cert SSLCertificateFile /path/to/your/pki/hostname.you.provided.first.crt SSLCertificateKeyFile /path/to/your/pki/hostname.you.provided.first.key SSLCertificateChainFile /path/to/your/pki/hostname.you.provided.first-chain.crt

Self-signed
It's not recommended to use CA-signed certificates with your IdPs or SPs. It has no benefits and has some drawbacks (ie. some older versions of mod_ssl refuse to work with expired SP certs).

Instead, you should generate a self-signed certificate with the following command (please adjust the subject): export host=your.host.name openssl req -new -newkey rsa:2048 -x509 -subj "/C=HU/O=NIIF/OU=AAI/CN=$host" -days 10000 -nodes \ -keyout $host-shib.key -out $host-shib.cert