Thank for replied of Nicolas MASSE.
I did flowing you step by step:
$ cd /root
$ chmod 700 .
$ umask 077
$ mkdir mypki
$ cd mypki
$ mkdir certs
$ mkdir private
$ touch index.txt
$ echo '01' > serial
$ vi openssl.cnf
$ export OPENSSL_CONF="openssl.cnf"
$ openssl req -newkey rsa -x509 -subj '/C=VN/O=TEST/OU=COM/CN=TEST.COM' -out
cacert.pem
Generating a 2048 bit RSA private key
....................................................+++
.............................+++
writing new private key to './private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
$ export -n OPENSSL_CONF
$ openssl req -newkey rsa:1024 -keyout server.key -nodes -subj
'/C=VN/O=TEST/OU=COM/CN=TEST.COM' -out server.req
Generating a 1024 bit RSA private key
.......................................++++++
.............................++++++
writing new private key to 'server.key'
-----
$ export OPENSSL_CONF="openssl.cnf"
$ openssl ca -in server.req -out server.crt
Using configuration from openssl.cnf
Enter pass phrase for ./private/cakey.pem:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'VN'
organizationName :PRINTABLE:'TEST'
organizationalUnitName:PRINTABLE:'COM'
commonName :PRINTABLE:'TEST.COM'
Certificate is to be certified until Jul 26 09:28:28 2007 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
$ cat server.key
$ cat server.crt
------------AND THIS IS mypki/openssl.conf file----------------------
[ ca ]
default_ca = mypki
[ mypki ]
dir = .
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial
x509_extensions = mypki_ext
default_md = md5
default_days = 365
policy = mypki_policy
[ mypki_policy ]
[ mypki_ext ]
basicConstraints = CA:false
[ req ]
default_bits = 2048
default_keyfile = ./private/cakey.pem
prompt = no
distinguished_name = root-ca_DN
x509_extensions = root-ca_ext
[ root-ca_DN ]
commonName = TEST.COM
organizationalUnitName = TEST
organizationName = COM
countryName = VN
[ root-ca_ext ]
basicConstraints = CA:true
Then I copied server.key and server.crt (in mypki folder) to
/usr/local/apache/mykey also configed httpd.conf:
--------------------------------------------------------------
servername 10.0.1.10
port 80
Listen 80
Listen 443
<VirtualHost 10.0.1.10:443>
SSLEnable
SSLEngine on
ServerName 10.0.1.10
ServerAdmin [EMAIL PROTECTED]
ErrorLog /var/log/httpd/error_log
SSLCertificateFile /usr/local/apache/mykey/server.crt
SSLCertificateKeyFile /usr/local/apache/mykey/server.key
</VirtualHost>
-------------------------------------------------------------
Then I start apache by:
#....../bin/apachectl startssl
.....ok......
#.../etc/openca_rc start
............ok............
[EMAIL PROTECTED] mypki]# openssl s_client -connect 10.0.1.10:443
CONNECTED(00000003)
depth=0
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0
verify error:num=27:certificate not trusted
verify return:1
depth=0
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:
i:/CN=TEST.COM/OU=COM/O=TEST/C=VN
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICQTCCASmgAwIBAgIBATANBgkqhkiG9w0BAQQFADA9MREwDwYDVQQDEwhURVNU
LkNPTTEMMAoGA1UECxMDQ09NMQ0wCwYDVQQKEwRURVNUMQswCQYDVQQGEwJWTjAe
Fw0wNjA3MjkwODQwMDRaFw0wNzA3MjkwODQwMDRaMAAwgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAKhERmR34IWB9Lzuo6IETPHs1qwRs5RUbCkBvd85Uaq1kSQ9
40rHWKAizdazKFhJOG4Mmyjicp8ixcEJuKsq2wmHjLEzZwafe8yBDmW7K7XVUu86
oewhODqVK8dIXnJJMXuiw2TAAtwkDfUJkKWb9Pi6ljbZtT99h/Zk2Db3lo5HAgMB
AAGjDTALMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEEBQADggEBACzi6bQgjeKf2OZ5
JSMknqQ5ehlzmB6u27I7FRoXDr9oF9UrZ5S4ycZPaemoTmaVUi9Ns4E2WQ5AZckB
73nREPq8x3qWlClsuGXU5pIHQ1K+c/wArWwIPP5s+1D9jOYc/5o03M4ZDAIxsiLJ
7bt+6kLabC8okZOz5mDiQPZ1iEAWEQxbtZ559oT30jABwjXqyKqD956oZmuAl5x1
jhXiSpcRfrnwx1jjEA2d6sUl3LUgGPlAUb8wNqtmqS6UAYwWu7fWCe5KQ/PAo7nI
logfVVrWY1r5pbuoRRPVo8haABO0c4BEivtOGwDsNp4hZff5k9vuTy12cOXwD4G6
c1n0xM0=
-----END CERTIFICATE-----
subject=
issuer=/CN=TEST.COM/OU=COM/O=TEST/C=VN
---
No client certificate CA names sent
---
SSL handshake has read 1145 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
99B3C34CE19EAFE1F40DB2710BB6AE082D57156F6395564D42BB8D7020BD2012
Session-ID-ctx:
Master-Key:
763DB42C831A1C52CC7F7A67446E8603F02E6FB1E2C9751A3D3364EE6A2255B8F36236FF52B7E3D8EA70F854E20EF7C4
Key-Arg : None
Krb5 Principal: None
Start Time: 1154164306
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
-----------------------------------------------------------------------
then I visit https://10.0.1.10/ or https://TEST.COM/ it show window
"securyty alert" with
(!) "the name on the security certificates is invalid or does not match the
name of the site"
I choose "yes" is show that:
"Forbidden: You don't have permission to access / on this server.
Apache/1.3.36 Server at TEST.COM Port 443""
-----------------------------------------
I can't find where is the problems?
Can you fix me?
Thank alot.
--
View this message in context:
http://www.nabble.com/How-to-run-apache-ssl-for-openca--tf2002737.html#a5552741
Sent from the openca-users forum at Nabble.com.
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
