Nick Davies wrote:
> I'm kinda new to setting up ssl stuff (as you can guess from my
> previous silly question). I just want to know about certificates and
> stuff. I'm in the uk and getting certificates from BT's(grrr grr)
> trustwise service. I've used openssl to generate a CSR and used that to
> get a trial certificate. Do i need to generate a key from the resulting
> certificate i get from BT?
I think you're putting the cart before the horse - the key comes before
the CSR. Here is what I did (perhaps if one of the gurus could check
this - I'd be glad to hear about any mistakes!):
- Make a random_data file
# echo "bunch_of_random_data" > random_data
- Generate a key using the random data
# openssl genrsa -rand random_data -out server.key 1024
- Generate a Certificate Signing Request (CSR) using the key
# openssl req -new -key server.key -out server.csr
- Use the CSR to get a certificate (e.g. from
http://www.verisign.com/server/trial/welcome/index.html)
- saved this as server.crt
- Edited httpd.conf to point to the key and certificate
SSLCertificateFile /home/apache/server.crt
SSLCertificateKeyFile /home/apache/server.key
So my interpretation is:
- the random-data is used as a seed to make a public-key, private-key
pair in server.key
- the CSR is made using the public-key extracted from server.key
- Verisign make a certificate for you and put the public-key in it.
- when users come to the site you give them the certificate.
- users extract the public-key from the certificate and use this to
encrypt a session-key which they return to the server.
- the server uses the private key (in server.key) to decrypt the
session-key.
- the rest of the SSL session uses the session-key on both sides (i.e.
it is symmetric crptography after that).
Best regards,
Owen Boyle.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
