How about importing the ca.crt file into your browser? Browsers authenticate
server.crts against known CA companies. Maybe?
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of hUnTeR
Sent: Saturday, November 06, 1999 8:14 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: CA and certs
[EMAIL PROTECTED] wrote:
>
> your CA information has to be different from the information listed in
> the key you wish to sign. Try that and it should work.
>
> --
> Colin Faber
> Perl programer, Systems administration
> fpsn.net, Inc.
> [EMAIL PROTECTED]
>
> www.fpsn.net
Colin -
Here is the procedure i followed:
1) /usr/share/ssl/mod_ssl/ openssl genrsa -des3 -out ca.key 1024
1112 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.....................+++++
.........................................+++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
2) /usr/share/ssl/mod_ssl/ openssl req -new -x509 -days 365 -key ca.key
-out ca.crt
Using configuration from /usr/local/openssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Ohio
Locality Name (eg, city) []:Lakewood
Organization Name (eg, company) [Internet Widgits Pty Ltd]:The
UserFriendly Netw
ork
Organizational Unit Name (eg, section) []:Certificate Authority
Common Name (eg, YOUR name) []:UFN CA
Email Address []:[EMAIL PROTECTED]
3) /usr/share/ssl/mod_ssl/ openssl genrsa -des3 -out server.key 1024
1112 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.......+++++
..............................+++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
4) /usr/share/ssl/mod_ssl/ openssl req -new -key server.key -out
server.csr
Using configuration from /usr/local/openssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Ohio
Locality Name (eg, city) []:Lakewood
Organization Name (eg, company) [Internet Widgits Pty Ltd]:The
UserFriendly Netw
ork
Organizational Unit Name (eg, section) []:Web Development Unit
Common Name (eg, YOUR name) []:www.userfriendly.net
Email Address []:[EMAIL PROTECTED]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
5) /usr/share/ssl/mod_ssl/ ./sign.sh server.csr
CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'Ohio'
localityName :PRINTABLE:'Lakewood'
organizationName :PRINTABLE:'The UserFriendly Network'
organizationalUnitName:PRINTABLE:'Web Development Unit'
commonName :PRINTABLE:'www.userfriendly.net'
emailAddress :IA5STRING:'[EMAIL PROTECTED]'
Certificate is to be certified until Nov 6 02:06:59 2000 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: OK
6) /usr/share/ssl/mod_ssl/ openssl rsa -in server.key.org -out
server.key
read RSA private key
Enter PEM pass phrase:
writing RSA private key
7) ۲��root@niteowl����۲�� Sat Nov 6 09:07:35pm
/usr/share/ssl/mod_ssl/ chmod 400 server.key
۲��root@niteowl����۲�� Sat Nov 6 09:07:43pm
/usr/share/ssl/mod_ssl/ cp server.crt /etc/httpd/conf/
cp: overwrite `/etc/httpd/conf/server.crt'? y
۲��root@niteowl����۲�� Sat Nov 6 09:07:54pm
/usr/share/ssl/mod_ssl/ cp server.key /etc/httpd/conf/
cp: overwrite `/etc/httpd/conf/server.key'? y
۲��root@niteowl����۲�� Sat Nov 6 09:07:59pm
/usr/share/ssl/mod_ssl/ /etc/rc.d/init.d/httpd restart
I restarted the webserver and STILL get the annoying message about the
signature:
"The server's certificate has an invalid signature. You will not be able
to connect to this site securely."
Now, i took your advice as evidenced above, and still got the same
result. Any ideas?
Regards
--
Michael B. Weiner
Systems Administrator/Partner
The UserFriendly Network (UFN)
--
/ / (_)__ __ ____ __
/ /__/ / _ \/ // /\ \/ /
/____/_/_//_/\_,_/ /_/\_\
* * * CHOICE OF A GNU GENERATION * * *
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
