Check out ssl.ca-0.1 on www.openssl.org -> Contributions -> ssl.ca-0.1.tar.gz.
This set of scripts uses ca and openssl to create a self-signed CA, create and
sign the server certs, plus create and sign user certs. It's a neat package! I've
used it on my personal web server with great success.
Ben Rockwood wrote:
> Hello.
>
> I've recently started playing with mod_ssl
> and had done well with it till I descided to switch off
> the test certs (SnakeOil) and onto real certs. I successfully
> created and signed my own cert as documented in the mod_ssl
> users guide, but ran into trouble when trying to connect with
> a browser.
>
> I'm testing with Netscape and Mozilla. When I hit
> the server (https://) I get the normal "This is a secure page
> blah, blah", and then another window "No User Certificate: The
> server may not let you connect without one". I click "Next"
> there and get a window saying "An IO Error Occured. Try Connecting
> Again". This happens over and over again each time I try. I've
> tried several diffrent machines and the same result. I tried
> IE on NT, and essentially the same thing happened, except that
> instead of an IO error I just got a error page. (effectively
> the same result) After inspecting my ssl_engine_log I find this
> line, which seems to corrispond to the IO error:
>
> [12/Mar/2001 21:08:15 09014] [info] Connection to child 2 established
> (server xxx.blah.com:443, client xxx.xxx.xxx.xxx)
> [12/Mar/2001 21:08:15 09014] [info] Seeding PRNG with 1160 bytes of entropy
> [12/Mar/2001 21:08:19 09014] [error] SSL handshake failed (server
> xxx.blah.com:443, client xxx.xxx.xxx.xxx) (OpenSSL library error follows)
> [12/Mar/2001 21:08:19 09014] [error] OpenSSL: error:140890C7:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
> [Hint: No CAs known to server for verification?]
>
> (Note: I did infact block out the hostname and IP for security reasons,
> it's not a misconfiged system in that regard <grin>)
>
> So my problem, as mentioned by the log is that I don't have a CA server.
> I've looked through the docs for OpenSSL and mod_ssl and can't find anything
> about building/config'ing a CA Server, theres plenty on signing certs AS a
> CA, but not actually serving as a CA for requests. So how do I? Or is this
> in the docs and I simply missed it. Part of my confusion is in whether the
> CA "Server" is a daemon or not. Do I need to launch a OpenSSL session that
> stays open on a given port for requests or does Apache with mod_ssl take
> care of the magic? This is really driving me nuts, and SSL is really
> kool... I'm totally thrilled that there is such a good open source SSL tool
> kit avalible that everyone can play with it.
>
> Just for kicks, heres some lines from my httpd.conf, all under the default
> virtual host on port 443 (ie: modified lines from the origonally placed.
> I've excluded lines that I didn't think were interesting or applied):
>
> <VirtualHost _default_:443>
> DocumentRoot "/usr/local/apache/htdocs"
> ServerName xxx.blah.com
> SSLEngine on
> SSLCipherSuite HIGH:MEDIUM:LOW:RC4+RSA:+SSLv2
> SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
> SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
> SSLCertificateChainFile /usr/local/apache/conf/ssl.crt/ca.crt
> SSLCACertificatePath /usr/local/apache/conf/ssl.crt
> SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca-bundle.crt
> SSLCARevocationPath /usr/local/apache/conf/ssl.crl
> SSLVerifyClient optional_no_ca
> SSLVerifyDepth 10
> </VirtualHost>
>
> The directives that I'm not 100% clear about (even after reading the docs,
> which were really great) are SSLCipherSuite and SSLVerifyClient. I've tried
> other varients for SSLVerifyClient, but they didn't really help. It seems
> like I can only get this thing to work well when I specify that
> no-encryption is an option.... which is exactly against the point.
>
> So, ultimately the question is, do I have a config problem, a client
> problem, a psychological problem, or do I simply lack a CA Server? Any help
> if GREATLY appreciated. Sorry for being so wordy, but I figured I'd just be
> complete the first time.
>
> benr.
>
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
--
Mike Carter
Unix Systems Admin
Apple Computer
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
