Re: issuing certificate

Mon, 22 Oct 2001 06:51:18 -0700 


"Murali K. Vemuri" wrote:

> when i type make certificate, i get a certificate signed by Snake Oil CA
> etc...
> can someone please tell me how i can change these..?

When starting out, it is easiest to make your own certificates. Later,
you can buy a proper certificate. This is the procedure I use:

Rgds,

Owen Boyle.


Making self signed certificates:
++++++++++++++++++++++++++++++++

NB: These certificates contain no pass-phrase so do not need user input 
when you start apache. Also, can be used by any server...

1) Make a random data file and set it up as $RANDFILE

# cd /usr/local/apache/ssl/certs
# PATH=$PATH:/usr/local/apache/bin
# export PATH
# cp /var/cron/olog temp
# gzip temp
# mv temp.gz random_data
# RANDFILE=/usr/local/apache/ssl/certs/random_data
# export RANDFILE

2) Create a RSA private key and certificate for our Certificate
Authority

# openssl genrsa -des3 -out ca.key 1024
        password is "CA_PASSWORD"
        Now make the certificate using the private key.
# openssl req -new -x509 -days 365 -key ca.key -out ca.crt

3) Now make a Certificate Signing Request for www.kiwi.com

# openssl genrsa -des3 -out kiwi.key 1024
# openssl rsa -in kiwi.key -out banana
# mv banana kiwi.key
# openssl req -new -key kiwi.key -out kiwi.csr

4) And sign it

# ./sign.sh kiwi.csr

Now we have 

ca.crt          Certificate Authority certificate
ca.db.certs     ) CA databases, holding
ca.db.index     ) details of certificates
ca.db.serial    ) issued
ca.key          Certificate Authority private key
random_data     for random routines
sign.sh         script for signing certificates
kiwi.crt        www.kiwi.com certificate (sent with SSL requests)
kiwi.csr        KIWI certificate signing request (not really needed anymore)
kiwi.key        www.kiwi.com private key (decrypts public-key encoded messages)

- summary of commands

# openssl genrsa -des3 -out www.kiwi.com.key 1024
# openssl rsa -in www.kiwi.com.key -out banana
# mv banana www.kiwi.com.key
# openssl req -new -key www.kiwi.com.key -out www.kiwi.com.csr
# ./sign.sh www.kiwi.com.csr
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to