[EMAIL PROTECTED] wrote:
>
> Hello modssl users !
>
> I managed to set up an ssl aware web server.
> Although I searched the web and also the list
> archive I haven't been able to create a client
> certificate which is signed by my own CA for
> client authentication.
>
> Could someone describe the process of creating
> such a certificate in detail ?
I assume you are working as root with bourne-shell and with the openssl
bin directory in your path. Also, many of the command below have many
options, check the docs and change to suit.
Proceed as follows (assume you are working as root with bourne-shell):
STAGE 1: Prepare your CA
------------------------
- First you need a source of random data (skip this if you have
/dev/urandom or something):
# cp /var/cron/olog temp
# gzip temp
# mv temp.gz random_data
# RANDFILE=/home/apached/ssl/certs/random_data
# export RANDFILE
- Create a RSA private key (ca.key) for your Certificate Authority and
choose a password for your CA (e.g. "CA_PASSWORD").
# openssl genrsa -des3 -out ca.key 1024
- Now make the certificate (ca.crt) using the private key.
# openssl req -new -x509 -days 365 -key ca.key -out ca.crt
It is here you define the details of the certificate authority, e.g.
Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ACME Inc.
Organizational Unit Name (eg, section) []:ACME Internet (Unofficial CA)
Common Name (eg, YOUR name) []:www.acme.com
Email Address []:[EMAIL PROTECTED]
STAGE 2: MAKE A CERT FOR YOUR SITE
----------------------------------
- Make a private key for www.banana.com
# openssl genrsa -des3 -out banana.key 1024
- You will be prompted for a password. If you later use the certificate,
the server will not start until you enter the password. If you want to
avoid having a password, you have to write out the key and save it
again.
# openssl rsa -in banana.key -out temp_key
# mv temp_key banana.key
- now banana.key is unencrypted. Next, make a certificate signing
request:
# openssl req -new -key banana.key -out banana.csr
It is here you define the details of the website, e.g.
Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Banana Inc.
Organizational Unit Name (eg, section) []:Banana Internet
Common Name (eg, YOUR name) []:www.banana.com
Email Address []:[EMAIL PROTECTED]
- Finally, sign the CSR using the CA certificate:
# ./sign.sh eex.csr
- you need to enter the CA password to sign it.
You finish up with banana.crt and banana.key which you move to the
server and refer to with SSLCertificateFile and SSLCertificateKeyFile.
You can remove banana.csr.
Rgds,
Owen Boyle.
PS: Regarding removing the passphrase on the certificate - it is up to
you whether to do this or not. If you want certificates that no-one can
steal but don't mind typing in a passowrd every time you start the
server, leave it on. If you prefer to have an automated server start but
are willing to risk certificate theft, remove it.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
