thanks for your help! It looks like I was on the right track before, with the exception of my httpd.conf file. A problem and a question....
The problem is that when I go to sign the csr, I get the following: 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: netmusician.crt <-> CA cert netmusician.crt: /C=US/ST=IN/L=Bloomington/O=Netmusician/CN=Netmusician/Email=joe@netmusician. org error 18 at 0 depth lookup:self signed certificate /C=US/ST=IN/L=Bloomington/O=Netmusician/CN=Netmusician/Email=joe@netmusician. org error 7 at 0 depth lookup:certificate signature failure I call upon the sign.sh script while in the path I was in as I went through the steps you included in your email (I can't get far otherwise). The question... once I've gotten netmusician.key and netmusician.crt after running the signing script, what do I do with these files? Where do they go? Thanks very much for your help! It's immensely appreciated!! > I think a few misunderstandings may have crept in... > > I assume you just want a certificate for your SSL site so that clients > can establish a secure connection - if so, you don't need the > SSLCACertificatePath or SSLCACertificateFile directives. They are for > when you want to authenticate *client's* certificates (i.e. if the > client needs a certificate to get into your site). All you need for a > public SSL site are SSLCertificateFile and SSLCertificateKeyFile. > > You still need to make a CA certificate but this is for your private use > to sign site certificates that you make - it never needs to be seen by > the web-server. In summary, the tasks are: > > - Make a CA certificate (ca.crt) > - make a site key (.key) > - make a site certificate signing request (.csr), using the .key > - sign the .csr to make a .crt > > These are the notes I use whenever I need to do this: > > 1) Create a RSA private key and certificate for our Certificate > Authority > > # openssl genrsa -des3 -out ca.key 1024 > password is "CA_PASSWORD" > Now make the certificate using the private key. > > # openssl req -new -x509 -days 365 -key ca.key -out ca.crt > > 2) Now make a Certificate Signing Request for www.kiwi.com > > # openssl genrsa -des3 -out kiwi.key 1024 > > This makes the key but it is password protected, which means you have > to type in a password to start the server. To avoid this, remove the PW > by writing out the key to a file and overwriting it. > > # openssl rsa -in kiwi.key -out temp > # mv temp kiwi.key > > Finally, make a CSR from the KEY. > > # openssl req -new -key kiwi.key -out kiwi.csr > > 4) And sign it > > # ./sign.sh kiwi.csr > > Now we have > > ca.crt Certificate Authority certificate > ca.db.certs ) CA databases, holding > ca.db.index ) details of certificates > ca.db.serial ) issued > ca.key Certificate Authority private key > sign.sh script for signing certificates > kiwi.crt www.kiwi.com certificate (sent with SSL requests) > kiwi.csr KIWI certificate signing request (not really needed anymore) > kiwi.key www.kiwi.com private key (decrypts public-key encoded > messages) > > - summary of commands > > # openssl genrsa -des3 -out www.kiwi.com.key 1024 > # openssl rsa -in www.kiwi.com.key -out temp > # mv temp www.kiwi.com.key > # openssl req -new -key www.kiwi.com.key -out www.kiwi.com.csr > # ./sign.sh www.kiwi.com.csr > > Rgds, > > Owen Boyle. > ______________________________________________________________________ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
