Juan Carlos Albores Aguilar wrote:
> > kiwi.crt www.kiwi.com certificate (sent with SSL requests)
>
> this was taken from your mail and i don't understand what do you mean with
> sent with SSL request, at that point, you have de kiwi's certificate created
> by your CA, how you send it back to kiwi's server and how kiwi sent you its
> csr, the process of sending is what i don't know how to do it, please help
> me.
I did all of this stuff on the server (i.e. I am self-signing my own
certificates). So ca.crt is on the server and all the openssl calls are
executed on the same server. The files "kiwi.crt" and "kiwi.key" should
be copied to the apache conf directory, e.g.
/home/apache/conf/ssl.crt/kiwi.crt
/home/apache/conf/ssl.key/kiwi.key
(N.B. These directories should have been created when you installed
mod-ssl. Note also that the ssl.crt directory contains a makefile which
will make symbolic links to the certificate files - don't ask me why
this is necessary).
These files should be declared in your SSL VirtualHost with;
SSLCertificateFile /home/apache/conf/ssl.crt/kiwi.crt
SSLCertificateKeyFile /home/apache/conf/ssl.key/kiwi.key
Now when a request comes in, apache sends kiwi.crt which contains the
site's public key. The browser uses the public key to encrypt a
session-key which it sends back to the server. The server then decrypts
the session-key using its own private key (kiwi.key). Now both sides
have the same session-key and so all subsequent traffic can be
encrypted.
> Regarding my original question, i don't have a crl in my CA installation,
> can i just create a file and name it ca.crl???, or something went wrong in
> my setting up?? and finally, how can i revocate a certificate??, please help
> me.
You've got me there. I guess you're talking about certificate revocation
lists? I don't know anything about that since we don't use all the
features of SSL and don't revoke certificates.
Why not try to get the basic SSL setup working before tackling the more
complicated aspects.
Rgds,
Owen Boyle.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
