I thought I would share this -----Message d'origine----- De : S. Pilotte [mailto:[EMAIL PROTECTED]] Envoye : Wednesday, April 05, 2000 10:12 AM A : Henrik Schmiediche Objet : RE: Can't generate self-signed keys Henrik, Glad to see I am not going crazy, unfortunately it seems to be a real problem. The good news is that at the end of the day yesterday I was able to generate self-signed keys using the manual method explained in the FAQs using openSSL 0.9.4 !! I move those keys to ../apache/conf/ssl.key and ../apache/conf/ssl.crt and voila!! beautifull it worked. Well almost. What confused the issue for me at least is that during the test I was using https://serverA/ and not the correct reference of https://serverA.etc.com/ so I was receiving a server name mismatch warning with the servername in the httpd.conf file. Lastly, I was able to install the certificate in Netscape Navigator and eliminate further messages when I revisited the site but could achieve this desired result with IE5.01?!? Although I see the certificate after choosing to install it. May be I forgot something else to setup in IE but operation from Netscape is perfect. I am going to give it a rest for the moment because I spent a lot of time on this issue of permanent key when it was supposed to take 5 minutes it turns out to be more like 5 days. I believe the generation of self-signed keys is broken in openSSL 0.9.4 and later on Solaris 2.7. I will need to to further testing on a few more issues to be satisfied but I am giving it a rest for now. I would also like to go ahead and a key signed by Verisign to prove that also works properly. I almost made the move to purchased STRONGHOLD for 995 $US but the mention of Apache 1.3.6 at the base of the package made me reconsider and then I succeeded. Let me know how it works for you Stephane -----Message d'origine----- De : Henrik Schmiediche [mailto:[EMAIL PROTECTED]] Envoye : Tuesday, April 04, 2000 4:15 PM A : [EMAIL PROTECTED] Objet : Can't generate self-signed keys Hello, where you ever able to fix this problem? I have the same one with no solution (yet). - Henrik On Mar 31, 1:10pm, S. Pilotte wrote: > Subject: Can't generate self-signed keys > Dear all, > > I have been trying to generate permanent self-signed keys without success for the last 2 days. I have monitored this discussion group and read the FAQ's but still have the same questions/problem. > > I got apache_1.3.12 + php 3.0.12 + mond_ssl_2.6.2 + opensss-0.9.5 + mysql running on Solaris 2.7. Everything seems to be working after a few fine tuning during the build process (eg: removing -I/usr/include, adding RANDFIL = /bigused.file ). > > All of this under the Snake Oil demo certificate. I tried to create some permanent keys with > > cd /../apache_1.3.12/src > make certificate TYPE=custom > > I get this error which I don<t know if its normal > > error 18 at 0 depth lookup:self signed certificate > > in addition The Nestscape 4.x and IE5 complains that the name of the security certificate does not match the name of the site and also that the certificate was issued by a company that I have not choose to trust!! > > Should I add the SSLCACertificate directives in httpd.conf? > > Is there any recommendations for input for > > 5. Organizational Unit Name (eg, section) [Certificate Authority]: > > to get a self-signed certificate? > > I went over the FAQs and the manual method but I get keys generated after similar errors. > In some cases the SSL does not even present any pages. > > > Sorry for the length of this message > > Stephane > > > SSL Certificate Generation Utility (mkcert.sh) > Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved. > > Generating custom certificate signed by own CA [CUSTOM] > ______________________________________________________________________ > > STEP 0: Decide the signature algorithm used for certificates > The generated X.509 certificates can contain either > RSA or DSA based ingredients. Select the one you want to use. > Signature Algorithm ((R)SA or (D)SA) [R]: > ______________________________________________________________________ > > STEP 1: Generating RSA private key for CA (1024 bit) [ca.key] > 4937 semi-random bytes loaded > Generating RSA private key, 1024 bit long modulus > .++++++ > .++++++ > e is 65537 (0x10001) > ______________________________________________________________________ > > STEP 2: Generating X.509 certificate signing request for CA [ca.csr] > Using configuration from .mkcert.cfg > You are about to be asked to enter information that will be incorporated > into your certificate request. > What you are about to enter is what is called a Distinguished Name or a DN. > There are quite a few fields but you can leave some blank > For some fields there will be a default value, > If you enter '.', the field will be left blank. > ----- > 1. Country Name (2 letter code) [XY]:ca > 2. State or Province Name (full name) [Snake Desert]:quebec > 3. Locality Name (eg, city) [Snake Town]:montreal > 4. Organization Name (eg, company) [Snake Oil, Ltd]:ETS > 5. Organizational Unit Name (eg, section) [Certificate Authority]: > 6. Common Name (eg, CA name) [Snake Oil CA]:spilotte-sun.ele.etsmtl.ca > 7. Email Address (eg, name@FQDN) [[EMAIL PROTECTED]]:[EMAIL PROTECTED] > 8. Certificate Validity (days) [365]: > ______________________________________________________________________ > > STEP 3: Generating X.509 certificate for CA signed by itself [ca.crt] > Certificate Version (1 or 3) [3]: > Signature ok > subject=/C=ca/ST=quebec/L=montreal/O=ETS/OU=Certificate [EMAIL PROTECTED] > Getting Private key > Verify: matching certificate & key modulus > read RSA key > Verify: matching certificate signature > ../conf/ssl.crt/ca.crt: /C=ca/ST=quebec/L=montreal/O=ETS/OU=Certificate [EMAIL PROTECTED] > error 18 at 0 depth lookup:self signed certificate > OK > ______________________________________________________________________ > > STEP 4: Generating RSA private key for SERVER (1024 bit) [server.key] > 4937 semi-random bytes loaded > Generating RSA private key, 1024 bit long modulus > .......++++++ > ....++++++ > e is 65537 (0x10001) > ______________________________________________________________________ > > STEP 5: Generating X.509 certificate signing request for SERVER [server.csr] > Using configuration from .mkcert.cfg > You are about to be asked to enter information that will be incorporated > into your certificate request. > What you are about to enter is what is called a Distinguished Name or a DN. > There are quite a few fields but you can leave some blank > For some fields there will be a default value, > If you enter '.', the field will be left blank. > ----- > 1. Country Name (2 letter code) [XY]:ca > 2. State or Province Name (full name) [Snake Desert]:quebec > 3. Locality Name (eg, city) [Snake Town]:montreal > 4. Organization Name (eg, company) [Snake Oil, Ltd]:ETS > 5. Organizational Unit Name (eg, section) [Webserver Team]:. > 6. Common Name (eg, FQDN) [www.snakeoil.dom]:spilotte-sun.ele.etsmtl.ca > 7. Email Address (eg, name@fqdn) [[EMAIL PROTECTED]]:[EMAIL PROTECTED] > 8. Certificate Validity (days) [365]: > ______________________________________________________________________ > > STEP 6: Generating X.509 certificate signed by own CA [server.crt] > Certificate Version (1 or 3) [3]: > Signature ok > >[EMAIL PROTECTED] > Getting CA Private Key > Verify: matching certificate & key modulus > read RSA key > Verify: matching certificate signature > ../conf/ssl.crt/server.crt: OK > ______________________________________________________________________ > > STEP 7: Enrypting RSA private key of CA with a pass phrase for security [ca.key] > The contents of the ca.key file (the generated private key) has to be > kept secret. So we strongly recommend you to encrypt the server.key file > with a Triple-DES cipher and a Pass Phrase. > Encrypt the private key now? [Y/n]: n > Warning, you're using an unencrypted private key. > Please notice this fact and do this on your own risk. > ______________________________________________________________________ > > STEP 8: Enrypting RSA private key of SERVER with a pass phrase for security [server.key] > The contents of the server.key file (the generated private key) has to be > kept secret. So we strongly recommend you to encrypt the server.key file > with a Triple-DES cipher and a Pass Phrase. > Encrypt the private key now? [Y/n]: n > Warning, you're using an unencrypted RSA private key. > Please notice this fact and do this on your own risk. > ______________________________________________________________________ > > RESULT: CA and Server Certification Files > > o conf/ssl.key/ca.key > The PEM-encoded RSA private key file of the CA which you can > use to sign other servers or clients. KEEP THIS FILE PRIVATE! > > o conf/ssl.crt/ca.crt > The PEM-encoded X.509 certificate file of the CA which you use to > sign other servers or clients. When you sign clients with it (for > SSL client authentication) you can configure this file with the > 'SSLCACertificateFile' directive. > > o conf/ssl.key/server.key > The PEM-encoded RSA private key file of the server which you configure > with the 'SSLCertificateKeyFile' directive (automatically done > when you install via APACI). KEEP THIS FILE PRIVATE! > > o conf/ssl.crt/server.crt > The PEM-encoded X.509 certificate file of the server which you configure > with the 'SSLCertificateFile' directive (automatically done > when you install via APACI). > > o conf/ssl.csr/server.csr > The PEM-encoded X.509 certificate signing request of the server file which > you can send to an official Certificate Authority (CA) in order > to request a real server certificate (signed by this CA instead > of our own CA) which later can replace the conf/ssl.crt/server.crt > file. > > Congratulations that you establish your server with real certificates. > > ______________________________________________________________________ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] >-- End of excerpt from S. Pilotte -- Henrik Schmiediche, Dept. of Statistics, Texas A&M, College Station, TX 77843 E-mail: [EMAIL PROTECTED] | Tel: (409) 862-1764 | Fax: (409) 845-3144 ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
