also, I get <20MB a month in hits, and yet still get spam comments. really, you guys should have more constructive things to do.

For this, I mostly used the instructions from G-Loaded verbatim - I changed some paths to work with my environment. The scripts below are new, though.

(This is a pretty long post.)

Preparing

The CA is simply a machine with OpenSSL on it. This can be anything that OpenSSL will compile and run on. How secure you make it depends on what you’re using the CA for. You might not spend as much time setting file system permissions for one for just you or just a handful of people or one-off dev sites.

The CA exists only really to apply special bits to certificate requests, and so doesn’t really need a server, or any sort of server software on it. You might find it handy to have a web presence somewhere to distribute the CA’s root certificate if you’re handing it out a lot, though. Your CA can exist on a real server or on a workstation, depending on your needs. Most Unixy OSes nowadays come with OpenSSL of some sort included; Windows does not, but there are ways to get it. (Windows Server users also have the option of adding the Certificate Authority role to the server, which won’t be covered here.)

(The scripts below assume a Unix machine with bash installed.)

Organization

If you’re not a fan of organization, you can skip this step. Creating and signing certificates creates a lot of text files, though - you have 3 at least for each certificate (the request, the key, and the certificate itself), and there are some databases and the CA certs and keys as well. I set mine up this way:

private/
certs/
newcerts/
reqs/
crl/

private is where keys are stored. certs is where signed certificates are stored. newcerts does the same thing as certs, but OpenSSL, when signing, will also write a copy of the cert with its serial number to this folder. reqs is where certificate requests end up. crl is where your certification revocation list is (which I’m not going to get into here).

Of these folders, it’s very important to have strict permissions set up on the folder where you actually keep the keys. The server keys that’ll be created if you follow these instructions will have no passphrase - good for unattended server startup, but bad for security, as anyone can create a req with your key if they get a hold of it. The other folders aren’t as important; they just need permissions appropriate for your environment. (Mine are group read/write and others read-only; I only want certain people to be able to sign certificates.)

You can also create another folder for OpenSSL support stuff, as you’ll have a couple database files and the configuration file for OpenSSL (separate from the system one). The folder names themselves are arbitrary; if you want to change them, feel free to. You’ll have to remember what you did when you work in the configuration file and the scripts, though.

Setting up the CA

The first thing to do is to set up the folders for the CA. Move to the folder that you want to store the CA’s files and make folders based on how you want to organize everything. If you’re using my example above, the command (on a Unix machine) is:
mkdir -m 0755 private/ certs/ newcerts/ reqs/ crl/

(You’ll want to specify a decent set of permissions on the folders; 0755 will give you read/write/execute access and everyone else read/execute. In my case, I actually did 0775 and chgrp‘ed the folders to the group that can manage certificates.)

Once you’ve got the folders set up, you’ll need to create a CA-specific OpenSSL configuration file. Usually, this means just copying the system one and modifying it. On Mac OS X, this is in /System/Library/OpenSSL, but for most other systems, it’ll be in your /etc somewhere. If you’ve installed any third-party distribution of OpenSSL, or compiled your own, use the conf file from there. The file itself is called openssl.cnf.

Your config file should just be readable by people who can manage certificates, so set this either 0600 or 0660. You can name it anything you want; I left mine as openssl.cnf. You’ll either specify the exact name of the CA-specific config file or use scripts that have it built in.

You also need to make two files: one holds a database of certificates and one contains the serial number of the next certificate.
touch index.txt ; echo '01' > serial
will get these two done. (Make sure you change the paths if you’re storing the database/housekeeping stuff in its own folder.)

The next thing you need to do is create a key and a self-signed certificate for the CA itself. From within the CA’s folder:
openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout private/certauth.key -out certs/certauth.crt -days 1825

Change the -config option to whatever your CA-specific config file is. You can also change the -keyout and -out options as well if you’re putting things into different folders. The -days parameter is set to 5 years; you can adjust this as you see fit.

You’ll be prompted for a password when you do this; make sure you choose a good password for this. The information that OpenSSL will ask you for can be anything, but you should make it as descriptive as possible. (Specifically, the Common Name can be anything - this is just for the certificate authority, so it doesn’t have to correspond to a specific server hostname.)

When it’s done, make sure you remove all permission but read from the key - in the example above, private/certauth.key. If people get the key and your password, they can act as you, so it’s important to keep these files safe. Keys never expire, so you shouldn’t have to replace it unless you forget the password. The certificate file - private/certauth.crt - can be distributed as you see fit.

The final step is getting people to trust your certificate authority. This is probably the easiest step - you just need to take that certificate you just created and install it on client machines, or make it available for people to install on their own. For the most part, on Windows and Mac OS X, you can just copy the certificate to the computer and double-click on it to install. This is pretty much a follow-the-prompts kind of thing.

One thing to keep in mind is that alternative browsers may or may not use the system-provided certificate store - Firefox, notably, does not. If you’ll be using the CA to sign certificates for Web servers, you’ll want to make sure you install the certificate into any third-party browser you might use as well as into the system itself.

If you made it this far, you now have a properly functioning certificate authority. Yay!

Check back tomorrow for how to actually use your new certificate authority.

The VT320 is actually put together in a somewhat interesting fashion, given that this is expensive electronics from about 21 years ago. Most everything snaps into place. There’s really only about six screws in the thing total that matter - two remove the case and four more hold the CRT in place. I managed to find the service guide for the unit, and set off taking the PSU out. I removed the CRT and the main logic board as one piece. The case itself is three parts - the front bezel, the bottom tray and the back, and the bottom tray is held to the bezel by snaps (the back comes off), so I could just unsnap the bottom tray for leverage and undo the few snaps that attached the logic board to the tray. Then, four screws and some careful lifting and I had the thing in pieces.

Next, I went ahead and roughed-in the screen. I ran into two problems here - the bottom of the case has a nice foot that allows you to adjust the tilt of the screen. It’s got a pretty powerful spring in it to accomplish this, and, needless to say, iBook innards are much lighter than a full-out CRT and all the associated circuitry that comes with. I’m going to have to figure out a way to get the unit weighted down in the back.

The other problem I had was with the screen. While the LCD itself fit pretty well in there, the CRT screw mounts got in the way, so I ended up totally disassembling the screen. I got it down to pretty much just the panel, and took off the frame that includes the AirPort antennas, a reed switch (so it knows when you close the lid), the inverter and the microphone. With all of that stuff removed, the screen fit in fine. It’s in right now with packing tape.

So, once I got the screen in, I started working on the logic board. For now, I pretty much just dropped it in the bottom of the case. I ran the power switch out the side and taped the speakers down to the grilles in the bottom of the case. I ran a spare iMate into the old contrast wheely thing and into a USB port - with it all assembled, I really don’t have much room for USB devices and whatnot in there.

With all that done, I went ahead and hooked it into power and hit the switch for the first time. Lo and behold, nothing happened. Such a pain in the ass. I tore into it a bit and realized I had loosened one of the cables on the inverter board; a reseat and it was on its way.

So, now I’ve got this thing mostly mounted. I put the back of the case back on, and, apart from the fact that you really can’t see inside to see otherwise, it’s pretty much done. There’s still some to do - I’m waiting on the new battery for the system, I still need to get the new HDD and RAM, the combo drive needs to go back in, and I’d like to mount things a bit more nicely - but it works, and I’m actually using it to type this entry up.

Speaking of remounting things, right now I have the motherboard installed without the magnesium frame it sits in. This is kinda problematic for some things - the hard drive isn’t latched down (ah, the magic of tape!) and the CPU heatsink isn’t really attached to anything. I think I might experiment with the Dremel to see if I can make the frame work and have the board mounted back to the back of the screen. I can use the rest of the case for weights, and maybe a power strip and a couple of nice hubs. It’d also be nice if I could get some of the ports worked out differently, so that they sit more-or-less where the former serial ports and whatnot sit. And, a real power switch. It’s absurdly hard to find a beige or grey momentary on/off switch - I’m going to end up building a circuit to deal with that.

All in all, I think I’m at about 50%. A little hot glue and it’ll be done!

I managed to get ahold of an old Digital VT320 terminal. They’re pretty neat gadgets but not horribly useful nowadays - they have a screen resolution of 80×25 or 132×25 (it’s software switchable) and connect via serial to the host using three-pair cable terminated in DEC MMJ plugs. Originally, I was just going to hook it into a normal computer and use it as a separate screen for the novelty of it, but it turns out it’s very hard to find MMJ plugs nowadays.

So, a plan B was hatched. The screen on the VT320 is 12″ diagonal, which was a pretty popular size for small laptops before the whole widescreen fetish began. I figured it wouldn’t be too hard to grab a machine about that size and mount it into the terminal, making a sort-of miniature iMac sort of machine. And, since I evidently have nothing better to do with my time ever, I went ahead and sourced a 12″ iBook G4 to use.

The iBook G4 I have is a 12″ model running at 1.07GHz. It’s got a 30GB disk, combo drive, 512MB RAM and an AirPort Extreme card in it. I set off tonight getting the machine taken apart and kinda roughly reassembling it in a way that would make it into a desktop machine. I pretty much have an iBook G4 tablet now - for the first stab at it, I pretty much just took the machine and flipped the screen around backwards. I think this is essentially how I’m going to have it though I might ditch the frame around the motherboard and rearrange some of the cards instead - certain things like the USB/etc. ports and the DC-In board are situated so things tend to stick out of the sides too much. I also need to find a cheap USB hub to mount inside the enclosure as well, so I can have built-in BlueTooth and whatnot. I’m also thinking about mounting my spare iMate ADB-to-USB adapter in the finished product, just to keep the retro going.

I was actually considering mounting a standard 3.5″ hard drive connected to a FireWire bridge board inside the case. I’m kinda rethinking this plan now, though - it turns out the battery that came with the iBook was one of the recall ones, so I could mount the battery inside the machine somehow and end up with a battery-powered desktop. I definitely want to get a bigger hard drive for it, though, and upgrade the RAM to 1GB. I was also thinking about mounting a webcam in the system, but that’ll depend on how much clearance I end up having in there.

Tuesday marks the end of my employment at Apple, Inc. I’m leaving ostensibly to do some more contract work - I can make a lot more money developing web applications for people sitting on my couch than I can selling iMacs to people so they can manage pictures of their cat. It’s kinda sad to leave. In the time I’ve spent there, I’ve gone through a processor changeover, the introduction of two new versions of Mac OS X (I started when Tiger was released), two iPhones, the MobileMe transition, the iPod nano, and probably a whole host of things I can’t remember now. I’ve made a lot of friends there, and have actually watched a lot of them leave as well. (I maintain that Apple Retail is probably among the best to work in if you’re wanting a retail job. But, it’s still retail, and retail sucks.)

So, I’m leaving it to do something fresh and new and more challenging and more sitting-on-my-couch. I’m highly looking forward to having weekends. I may even update this damned thing more than once every 6 months. Maybe - and I’m trying not to get crazy here - I’ll even set up the web presences for the other domains I’ve got. First and foremost, I’m gonna try to deal with the scariness of not having a steady second paycheck for the first time in over 3 years.

So in the past month or so I’ve been sick, got mostly better, started doing more interesting stuff at job #2, and caused a whole buncha damage to my car (well, more than I was expecting) by hitting a curb. I can now put Web 2.0 experience on my résumé officially, as I’ve developed something that actually uses Ajax and all that handy spiffness in a pretty horrid way. ‘Course, now that I know how to do it, I can come up with a nice way to do it. The Ajax thing really wasn’t that hard (especially not with prototype) so, other than going back to the good ol’ days of beating my head against the wall because nothing ever renders the same way in more than one browser, it was pretty nice.

I’m really looking forward to getting the 7 back in the next month or so - I had the shop compile a laundry list of things to remedy when I had the 5 in for the damage I did, and there were some things on there that I need but probably can’t do myself, so it’ll be nice to have a car to drive in the meantime. Of course, I’m also tired of having it in someone else’s back yard.

I think I might gather up a whole buncha crap out of my room and have a firesale soon.. I can look around from my desk and see roughly 8 computers that I don’t need, and I’m sure there’s a whole bunch more crap in boxes I can get rid of too. One of these days I’ll take the minimization thing to heart and actually start doing it.

I actually manage to get on that there web 2.-oh bandwagon lately.. finally broke down and figured out how to work AJAX with prototype and PHP. I’m probably doing everything wrong, but it’s been an interesting learning experience. I’ve actually been thinking about getting Coda and using that - it’s got built-in JS desk references and all that stuff, and I really don’t have anything good for that right now.