Re: No CRL

Tue, 24 Jul 2001 00:10:39 -0700 

Juan Carlos Albores Aguilar wrote:
> 
> I have a system with apache and modssl 2.6 and i've created my own CA
> but i don't find the CRL, as i've read, i should have a ca.crl file
> wich i don't have, should i create it?? or something is wrong with my
> setting up, please help me, thanks

Here are my notes from when I made self-signed certificates for my
set-up. I hope this helps.

Rgds,

Owen Boyle. 


Making self signed certificates:
++++++++++++++++++++++++++++++++

NB: These certificates contain no pass-phrase so do not need user input 
when you start apache. Also, can be used by any server...

1) Make a random data file and set it up as $RANDFILE

# cd /home/apache/ssl/certs
# PATH=$PATH:/home/apache/bin
# export PATH
# cp /var/cron/olog temp
# gzip temp
# mv temp.gz random_data
# RANDFILE=/home/apache/ssl/certs/random_data
# export RANDFILE

2) Create a RSA private key and certificate for our Certificate
Authority

# openssl genrsa -des3 -out ca.key 1024
        password is "CA_PASSWORD"
        Now make the certificate using the private key.
# openssl req -new -x509 -days 365 -key ca.key -out ca.crt

3) Now make a Certificate Signing Request for www.kiwi.com

# openssl genrsa -des3 -out kiwi.key 1024
# openssl rsa -in kiwi.key -out banana
# mv banana kiwi.key
# openssl req -new -key kiwi.key -out kiwi.csr

4) And sign it

# ./sign.sh kiwi.csr

Now we have 

ca.crt          Certificate Authority certificate
ca.db.certs     ) CA databases, holding
ca.db.index     ) details of certificates
ca.db.serial    ) issued
ca.key          Certificate Authority private key
random_data     for random routines
sign.sh         script for signing certificates
kiwi.crt        www.kiwi.com certificate (sent with SSL requests)
kiwi.csr        KIWI certificate signing request (not really needed anymore)
kiwi.key        www.kiwi.com private key (decrypts public-key encoded messages)

- summary of commands

# openssl genrsa -des3 -out www.kiwi.com.key 1024
# openssl rsa -in www.kiwi.com.key -out banana
# mv banana www.kiwi.com.key
# openssl req -new -key www.kiwi.com.key -out www.kiwi.com.csr
# ./sign.sh www.kiwi.com.csr
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to