Joe Auty wrote:
>
> Hi,
>
> I've been working many many hours on this problem, so I'd be EXTREMELY
> grateful if somebody can help me here with my handicap of limited
> knowledge on this subject...
>
> I've created the certificate for my site, and it works fine.. the
> problem is it is still signed by Snake Oil...
>
> I have gone through and created a CA for myself with instructions I
> found on the net, but I'm not sure what filetype this process creates
> which is relevant (I'm assuming .crt), if it has to be in a particular
> path, and what stuff to put into my httpd.conf file... My current
> attempt has been the following:
>
> SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
> SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
> SSLCACertificatePath /etc/httpd/conf/ssl.crt/
> SSLCACertificateFile /etc/httpd/conf/ssl.crt/myservername.crt
I think a few misunderstandings may have crept in...
I assume you just want a certificate for your SSL site so that clients
can establish a secure connection - if so, you don't need the
SSLCACertificatePath or SSLCACertificateFile directives. They are for
when you want to authenticate *client's* certificates (i.e. if the
client needs a certificate to get into your site). All you need for a
public SSL site are SSLCertificateFile and SSLCertificateKeyFile.
You still need to make a CA certificate but this is for your private use
to sign site certificates that you make - it never needs to be seen by
the web-server. In summary, the tasks are:
- Make a CA certificate (ca.crt)
- make a site key (.key)
- make a site certificate signing request (.csr), using the .key
- sign the .csr to make a .crt
These are the notes I use whenever I need to do this:
1) Create a RSA private key and certificate for our Certificate
Authority
# openssl genrsa -des3 -out ca.key 1024
password is "CA_PASSWORD"
Now make the certificate using the private key.
# openssl req -new -x509 -days 365 -key ca.key -out ca.crt
2) Now make a Certificate Signing Request for www.kiwi.com
# openssl genrsa -des3 -out kiwi.key 1024
This makes the key but it is password protected, which means you have
to type in a password to start the server. To avoid this, remove the PW
by writing out the key to a file and overwriting it.
# openssl rsa -in kiwi.key -out temp
# mv temp kiwi.key
Finally, make a CSR from the KEY.
# openssl req -new -key kiwi.key -out kiwi.csr
4) And sign it
# ./sign.sh kiwi.csr
Now we have
ca.crt Certificate Authority certificate
ca.db.certs ) CA databases, holding
ca.db.index ) details of certificates
ca.db.serial ) issued
ca.key Certificate Authority private key
sign.sh script for signing certificates
kiwi.crt www.kiwi.com certificate (sent with SSL requests)
kiwi.csr KIWI certificate signing request (not really needed anymore)
kiwi.key www.kiwi.com private key (decrypts public-key encoded messages)
- summary of commands
# openssl genrsa -des3 -out www.kiwi.com.key 1024
# openssl rsa -in www.kiwi.com.key -out temp
# mv temp www.kiwi.com.key
# openssl req -new -key www.kiwi.com.key -out www.kiwi.com.csr
# ./sign.sh www.kiwi.com.csr
Rgds,
Owen Boyle.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
