Dear all,
I have been trying to generate permanent self-signed keys without success for the
last 2 days. I have monitored this discussion group and read the FAQ's but still have
the same questions/problem.
I got apache_1.3.12 + php 3.0.12 + mond_ssl_2.6.2 + opensss-0.9.5 + mysql running on
Solaris 2.7. Everything seems to be working after a few fine tuning during the build
process (eg: removing -I/usr/include, adding RANDFIL = /bigused.file ).
All of this under the Snake Oil demo certificate. I tried to create some permanent
keys with
cd /../apache_1.3.12/src
make certificate TYPE=custom
I get this error which I don<t know if its normal
error 18 at 0 depth lookup:self signed certificate
in addition The Nestscape 4.x and IE5 complains that the name of the security
certificate does not match the name of the site and also that the certificate was
issued by a company that I have not choose to trust!!
Should I add the SSLCACertificate directives in httpd.conf?
Is there any recommendations for input for
5. Organizational Unit Name (eg, section) [Certificate Authority]:
to get a self-signed certificate?
I went over the FAQs and the manual method but I get keys generated after similar
errors.
In some cases the SSL does not even present any pages.
Sorry for the length of this message
Stephane
SSL Certificate Generation Utility (mkcert.sh)
Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved.
Generating custom certificate signed by own CA [CUSTOM]
______________________________________________________________________
STEP 0: Decide the signature algorithm used for certificates
The generated X.509 certificates can contain either
RSA or DSA based ingredients. Select the one you want to use.
Signature Algorithm ((R)SA or (D)SA) [R]:
______________________________________________________________________
STEP 1: Generating RSA private key for CA (1024 bit) [ca.key]
4937 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.++++++
.++++++
e is 65537 (0x10001)
______________________________________________________________________
STEP 2: Generating X.509 certificate signing request for CA [ca.csr]
Using configuration from .mkcert.cfg
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Country Name (2 letter code) [XY]:ca
2. State or Province Name (full name) [Snake Desert]:quebec
3. Locality Name (eg, city) [Snake Town]:montreal
4. Organization Name (eg, company) [Snake Oil, Ltd]:ETS
5. Organizational Unit Name (eg, section) [Certificate Authority]:
6. Common Name (eg, CA name) [Snake Oil CA]:spilotte-sun.ele.etsmtl.ca
7. Email Address (eg, name@FQDN) [[EMAIL PROTECTED]]:[EMAIL PROTECTED]
8. Certificate Validity (days) [365]:
______________________________________________________________________
STEP 3: Generating X.509 certificate for CA signed by itself [ca.crt]
Certificate Version (1 or 3) [3]:
Signature ok
subject=/C=ca/ST=quebec/L=montreal/O=ETS/OU=Certificate
[EMAIL PROTECTED]
Getting Private key
Verify: matching certificate & key modulus
read RSA key
Verify: matching certificate signature
../conf/ssl.crt/ca.crt: /C=ca/ST=quebec/L=montreal/O=ETS/OU=Certificate
[EMAIL PROTECTED]
error 18 at 0 depth lookup:self signed certificate
OK
______________________________________________________________________
STEP 4: Generating RSA private key for SERVER (1024 bit) [server.key]
4937 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.......++++++
....++++++
e is 65537 (0x10001)
______________________________________________________________________
STEP 5: Generating X.509 certificate signing request for SERVER [server.csr]
Using configuration from .mkcert.cfg
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Country Name (2 letter code) [XY]:ca
2. State or Province Name (full name) [Snake Desert]:quebec
3. Locality Name (eg, city) [Snake Town]:montreal
4. Organization Name (eg, company) [Snake Oil, Ltd]:ETS
5. Organizational Unit Name (eg, section) [Webserver Team]:.
6. Common Name (eg, FQDN)
[www.snakeoil.dom]:spilotte-sun.ele.etsmtl.ca
7. Email Address (eg, name@fqdn) [[EMAIL PROTECTED]]:[EMAIL PROTECTED]
8. Certificate Validity (days) [365]:
______________________________________________________________________
STEP 6: Generating X.509 certificate signed by own CA [server.crt]
Certificate Version (1 or 3) [3]:
Signature ok
[EMAIL PROTECTED]
Getting CA Private Key
Verify: matching certificate & key modulus
read RSA key
Verify: matching certificate signature
../conf/ssl.crt/server.crt: OK
______________________________________________________________________
STEP 7: Enrypting RSA private key of CA with a pass phrase for security [ca.key]
The contents of the ca.key file (the generated private key) has to be
kept secret. So we strongly recommend you to encrypt the server.key file
with a Triple-DES cipher and a Pass Phrase.
Encrypt the private key now? [Y/n]: n
Warning, you're using an unencrypted private key.
Please notice this fact and do this on your own risk.
______________________________________________________________________
STEP 8: Enrypting RSA private key of SERVER with a pass phrase for security
[server.key]
The contents of the server.key file (the generated private key) has to be
kept secret. So we strongly recommend you to encrypt the server.key file
with a Triple-DES cipher and a Pass Phrase.
Encrypt the private key now? [Y/n]: n
Warning, you're using an unencrypted RSA private key.
Please notice this fact and do this on your own risk.
______________________________________________________________________
RESULT: CA and Server Certification Files
o conf/ssl.key/ca.key
The PEM-encoded RSA private key file of the CA which you can
use to sign other servers or clients. KEEP THIS FILE PRIVATE!
o conf/ssl.crt/ca.crt
The PEM-encoded X.509 certificate file of the CA which you use to
sign other servers or clients. When you sign clients with it (for
SSL client authentication) you can configure this file with the
'SSLCACertificateFile' directive.
o conf/ssl.key/server.key
The PEM-encoded RSA private key file of the server which you configure
with the 'SSLCertificateKeyFile' directive (automatically done
when you install via APACI). KEEP THIS FILE PRIVATE!
o conf/ssl.crt/server.crt
The PEM-encoded X.509 certificate file of the server which you configure
with the 'SSLCertificateFile' directive (automatically done
when you install via APACI).
o conf/ssl.csr/server.csr
The PEM-encoded X.509 certificate signing request of the server file which
you can send to an official Certificate Authority (CA) in order
to request a real server certificate (signed by this CA instead
of our own CA) which later can replace the conf/ssl.crt/server.crt
file.
Congratulations that you establish your server with real certificates.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
