Kövesdán Gábor wrote:
Charles Swiger wrote:
On Jan 31, 2006, at 10:06 AM, Kövesdán Gábor wrote:
I've upgradde today, but SSL doesn't work with the old settings. I
suspect something's wrong with my self-signed certificates. If I
set SSLEngine On globally, I get this:
[Tue Jan 31 14:11:09 2006] [warn] RSA server certificate is a CA
certificate (BasicConstraints: CA certificate (BasicConstraints: CA
== TRUE !?)
Yeah, the RSA cert you use for your CA to sign other certs should
not be used as a host cert for SSL. Generate a new RSA cert,
generate a CSR, and use the CA cert to sign your new RSA cert for
the webserver:
openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem -
days 365
openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out
tmp.pem
openssl ca -policy policy_anything -out newcert.pem -infiles tmp.pem
# (newcert.pem contains signed certificate, newreq.pem still
contains
# unsigned certificate and private key)
Thanks, I see the point, but I don't really experienced in generating
certs. The lines you wrote lead me to the following:
[EMAIL PROTECTED] openssl req -nodes -new -x509 -keyout newreq.pem -out
newreq.pem -days 365
Generating a 1024 bit RSA private key
.........++++++
..........................++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or
a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:HU
State or Province Name (full name) [Some-State]:Budapest
Locality Name (eg, city) []:Budapest
Organization Name (eg, company) [Internet Widgits Pty Ltd]:T-Hosting.Hu
Organizational Unit Name (eg, section) []:HTTP Server
Common Name (eg, YOUR name) []:server.t-hosting.hu
Email Address []:[EMAIL PROTECTED]
[EMAIL PROTECTED] openssl x509 -x509toreq -in newreq.pem -signkey
newreq.pem -out tmp.pem
Getting request Private Key
Generating certificate request
[EMAIL PROTECTED] openssl ca -policy policy_anything -out newcert.pem
-infiles tmp.pem
Using configuration from /etc/ssl/openssl.cnf
Error opening CA private key ./demoCA/private/cakey.pem
46641:error:0E06D06C:configuration file routines:NCONF_get_string:no
value:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/conf/conf_lib.c:329:group=CA_default
name=unique_subject
46641:error:02001002:system library:fopen:No such file or
directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:276:fopen('./demoCA/private/cakey.pem','r')
46641:error:20074002:BIO routines:FILE_CTRL:system
lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:278:
unable to load CA private key
Segmentation fault (core dumped)
Could you tell me what's wrong?
Thanks,
Gabor Kovesdan
Hi again,
since then I've found a howto about certs:
http://www.debian-administration.org/articles/284
I followed the steps, and now I have three separate files:
1, the ca cert, called cacert.pem
2, the signed cert, called cert.pem
3, the private key, called key.pem
My httpd.conf contains this about SSL configuration:
<IfModule mod_ssl.c>
NameVirtualHost 217.20.133.7:443
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect file:/dev/urandom 512
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLCertificateFile /usr/local/etc/apache22/cert.pem
SSLCertificateKeyFile /usr/local/etc/apache22/key.pem
SSLCACertificateFile /usr/local/etc/apache22/cacert.pem
SSLSessionCache dbm:/var/run/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/var/run/ssl_mutex
SSLEngine Off
</IfModule>
Now, if I globally set SSLEngine On apache doesn't start and writes
nothing to the error log. If I only set SSLEngine On is a VirtualHost
section, I get the same Invalid method in request message.
Does somebody have any idea?
Thanks,
Gabor Kovesdan
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
