Re: Making certificate

Ralf S. Engelschall Thu, 22 Oct 1998 09:42:34 -0400
On Thu, Oct 22, 1998, Martin Kuzela wrote:

> ssleay req -new -key adelapriv.key -out adelaziad.csr
>[...] 
> Using configuration from /usr/local/ssl/lib/ssleay.cnf
> Unable to load config info
> Enter PEM pass phrase:
> unable to find 'distinguished_name' in config
> problems making Certificate Request
> 
> Question1: why SSLeay wants config file (which I haven't) when I am
> generating CSR?

SSLeay at least wants to find the default values for the interactive prompts
and some other information on how to generate the CSR.

> Question2: why documentation does't say that you must have some config
> file?

Which documentation do you mean? mod_ssl or SSLeay's?  But when you have a
correct installation you usually have such a ssleay.cnf installed. Seems like
your installation is broken a little bit.

> 3.So after reading mod-ssl's makefiles I add "-config .mkcert.cfg"
> parameter.

Ok, why don't you use "make certificate".  mod_ssl's mkcert.sh automatically
places a correct server.csr into the conf/ssl.csr/ directory you can send to
Verisign. Information about this is even printed at the end of mkcert.sh's
processing. This way you don't have to fiddle yourself with the various SSLeay
options.

> ssleay req -new -key adelapriv.key -out adelaziad.csr -config
> .mkcert.cfg
> 
> Then I answered all SSLeay's questions and  SSLeay gave me CSR file.
> 
> Question3: Did I something wrong by using .mkcert.cfg file (with
> Snakeoil company description)? I hope that my answers replaced every
> default value.

The Snake Oil stuff are just defaults, yes. No problem.  Check your CSR with
"ssleay req -noout -text -in <file>" to make sure you have the correct
contents.

> Question4: Are there any problems with CSR files generated this way at
> Verisign?

No, as long as your "ssleay req -noout -text -in <file>" gives you the correct
DN it should not make problems.

> Question5: I have successfully installed apache + mod-sll + jserv. What
> should I do to install certificate received from Verisign and my private
> key?

Just replace the installed etc/ssl.crt/server.crt with the certificate
Verisign sends you and the etc/ssl.key/server.key with the private key you
generated under 1.).
                                       Ralf S. Engelschall
                                       [EMAIL PROTECTED]
                                       www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List               [EMAIL PROTECTED]
Automated List Manager                       [EMAIL PROTECTED]
Re: Making certificate

Reply via email to
