Okay, it seems that after restarting apache without the CACertificate directives in there that sign.sh script now works without yielding the error I copied into my last email...
I've got myself a netmusician.crt file... what do I do with it now to replace the dummy SnakeOil stuff? (I hope that you guys don't object to the CC) Looks like I'm almost there, at any rate.... cool. > I think a few misunderstandings may have crept in... > > I assume you just want a certificate for your SSL site so that clients > can establish a secure connection - if so, you don't need the > SSLCACertificatePath or SSLCACertificateFile directives. They are for > when you want to authenticate *client's* certificates (i.e. if the > client needs a certificate to get into your site). All you need for a > public SSL site are SSLCertificateFile and SSLCertificateKeyFile. > > You still need to make a CA certificate but this is for your private use > to sign site certificates that you make - it never needs to be seen by > the web-server. In summary, the tasks are: > > - Make a CA certificate (ca.crt) > - make a site key (.key) > - make a site certificate signing request (.csr), using the .key > - sign the .csr to make a .crt > > These are the notes I use whenever I need to do this: > > 1) Create a RSA private key and certificate for our Certificate > Authority > > # openssl genrsa -des3 -out ca.key 1024 > password is "CA_PASSWORD" > Now make the certificate using the private key. > > # openssl req -new -x509 -days 365 -key ca.key -out ca.crt > > 2) Now make a Certificate Signing Request for www.kiwi.com > > # openssl genrsa -des3 -out kiwi.key 1024 > > This makes the key but it is password protected, which means you have > to type in a password to start the server. To avoid this, remove the PW > by writing out the key to a file and overwriting it. > > # openssl rsa -in kiwi.key -out temp > # mv temp kiwi.key > > Finally, make a CSR from the KEY. > > # openssl req -new -key kiwi.key -out kiwi.csr > > 4) And sign it > > # ./sign.sh kiwi.csr > > Now we have > > ca.crt Certificate Authority certificate > ca.db.certs ) CA databases, holding > ca.db.index ) details of certificates > ca.db.serial ) issued > ca.key Certificate Authority private key > sign.sh script for signing certificates > kiwi.crt www.kiwi.com certificate (sent with SSL requests) > kiwi.csr KIWI certificate signing request (not really needed anymore) > kiwi.key www.kiwi.com private key (decrypts public-key encoded > messages) > > - summary of commands > > # openssl genrsa -des3 -out www.kiwi.com.key 1024 > # openssl rsa -in www.kiwi.com.key -out temp > # mv temp www.kiwi.com.key > # openssl req -new -key www.kiwi.com.key -out www.kiwi.com.csr > # ./sign.sh www.kiwi.com.csr > > Rgds, > > Owen Boyle. > ______________________________________________________________________ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
