Full_Name: Paul Rubin Version: 2.4.2 OS: solaris Submission from: (NULL) (207.88.231.116) There are two problems with "make certificate" (mkcert.sh) that may have been fixed by now: 1) There should be a convenient way to generate a selfsigned cert to install in a web server. Right now there's "make test" which makes a cert signed by the Snakeoil CA, and "make custom" which generates a new CA and signs a server cert with it. Sometimes I just want to generate a single selfsigned cert that I can download and install into a browser. 2) "make custom" generates a CA cert, then prompts you with a few questions, then issues a server cert signed by the CA. That's fine except the CA cert and the server cert are both good for exactly the same length of time, but the server cert is created a few seconds later, which means it expires a little later than the CA cert. Even after installing the CA cert as a trusted root into IE5, sending the server cert pops an IE error dialog, saying the server cert lifetime exceeds the lifetime of the CA cert. The solution is to modify mkcert.sh to make the CA cert last longer than the server cert. Probably the CA cert should last for 2 years, so you can sign more server certs with it instead of having to keep generating new ones. I know I can do all this with openssl but it would be nice if the mkcert.sh script were updated to do the right thing. Thanks, and mod_ssl and openssl are great! Paul ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
