Re: [Openca-Users] How to run apache-ssl for openca?

itboi Mon, 31 Jul 2006 01:06:01 -0700

Thank for replied of Nicolas MASSE. 

I did flowing you step by step:



$ cd /root 
$ chmod 700 . 
$ umask 077 
$ mkdir mypki 
$ cd mypki 
$ mkdir certs 
$ mkdir private 
$ touch index.txt 
$ echo '01' > serial 
$ vi openssl.cnf 
$ export OPENSSL_CONF="openssl.cnf" 
$ openssl req -newkey rsa -x509 -subj '/C=VN/O=TEST/OU=COM/CN=TEST.COM' -out
cacert.pem 
Generating a 2048 bit RSA private key 
....................................................+++ 
.............................+++ 
writing new private key to './private/cakey.pem' 
Enter PEM pass phrase: 
Verifying - Enter PEM pass phrase: 
----- 

$ export -n OPENSSL_CONF 
$ openssl req -newkey rsa:1024 -keyout server.key -nodes -subj
'/C=VN/O=TEST/OU=COM/CN=TEST.COM' -out server.req 
Generating a 1024 bit RSA private key 
.......................................++++++ 
.............................++++++ 
writing new private key to 'server.key' 
----- 

$ export OPENSSL_CONF="openssl.cnf" 
$ openssl ca -in server.req -out server.crt 
Using configuration from openssl.cnf 
Enter pass phrase for ./private/cakey.pem: 
Check that the request matches the signature 
Signature ok 
The Subject's Distinguished Name is as follows 
countryName           :PRINTABLE:'VN' 
organizationName      :PRINTABLE:'TEST' 
organizationalUnitName:PRINTABLE:'COM' 
commonName            :PRINTABLE:'TEST.COM' 
Certificate is to be certified until Jul 26 09:28:28 2007 GMT (365 days) 
Sign the certificate? [y/n]:y 


1 out of 1 certificate requests certified, commit? [y/n]y 
Write out database with 1 new entries 
Data Base Updated 

$ cat server.key 
$ cat server.crt 

------------AND THIS IS mypki/openssl.conf file---------------------- 


[ ca ] 
default_ca              = mypki 

[ mypki ] 
dir                     = . 
certificate             = $dir/cacert.pem 
database                = $dir/index.txt 
new_certs_dir           = $dir/certs 
private_key             = $dir/private/cakey.pem 
serial                  = $dir/serial 

x509_extensions         = mypki_ext 
default_md              = md5 
default_days            = 365 
policy                  = mypki_policy 

[ mypki_policy ] 

[ mypki_ext ] 
basicConstraints        = CA:false 

[ req ] 
default_bits            = 2048 
default_keyfile         = ./private/cakey.pem 

prompt                  = no 
distinguished_name      = root-ca_DN 
x509_extensions         = root-ca_ext 

[ root-ca_DN ] 
commonName              = TEST.COM 
organizationalUnitName  = TEST 
organizationName        = COM 
countryName             = VN 

[ root-ca_ext ] 
basicConstraints        = CA:true 



Then I copied server.key and server.crt (in mypki folder) to
/usr/local/apache/mykey also configed httpd.conf: 

-------------------------------------------------------------- 
servername 10.0.1.10 
port 80 
Listen 80 
Listen 443 


<VirtualHost 10.0.1.10:443> 

SSLEnable 
SSLEngine on 
ServerName 10.0.1.10 
ServerAdmin [EMAIL PROTECTED] 
ErrorLog /var/log/httpd/error_log 

SSLCertificateFile /usr/local/apache/mykey/server.crt 
SSLCertificateKeyFile  /usr/local/apache/mykey/server.key 
</VirtualHost> 
------------------------------------------------------------- 

Then I start apache by: 

#....../bin/apachectl  startssl 
.....ok...... 

#.../etc/openca_rc start 
............ok............ 

[EMAIL PROTECTED] mypki]# openssl  s_client -connect 10.0.1.10:80 
CONNECTED(00000003) 
5456:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:494: 

[EMAIL PROTECTED] mypki]# openssl s_client  -connect 10.0.1.10:443 
CONNECTED(00000003) 
depth=0 
verify error:num=20:unable to get local issuer certificate 
verify return:1 
depth=0 
verify error:num=27:certificate not trusted 
verify return:1 
depth=0 
verify error:num=21:unable to verify the first certificate 
verify return:1 
--- 
Certificate chain 
 0 s: 
   i:/CN=TEST.COM/OU=COM/O=TEST/C=VN 
--- 
Server certificate 
-----BEGIN CERTIFICATE----- 
MIICQTCCASmgAwIBAgIBATANBgkqhkiG9w0BAQQFADA9MREwDwYDVQQDEwhURVNU 
LkNPTTEMMAoGA1UECxMDQ09NMQ0wCwYDVQQKEwRURVNUMQswCQYDVQQGEwJWTjAe 
Fw0wNjA3MjkwODQwMDRaFw0wNzA3MjkwODQwMDRaMAAwgZ8wDQYJKoZIhvcNAQEB 
BQADgY0AMIGJAoGBAKhERmR34IWB9Lzuo6IETPHs1qwRs5RUbCkBvd85Uaq1kSQ9 
40rHWKAizdazKFhJOG4Mmyjicp8ixcEJuKsq2wmHjLEzZwafe8yBDmW7K7XVUu86 
oewhODqVK8dIXnJJMXuiw2TAAtwkDfUJkKWb9Pi6ljbZtT99h/Zk2Db3lo5HAgMB 
AAGjDTALMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEEBQADggEBACzi6bQgjeKf2OZ5 
JSMknqQ5ehlzmB6u27I7FRoXDr9oF9UrZ5S4ycZPaemoTmaVUi9Ns4E2WQ5AZckB 
73nREPq8x3qWlClsuGXU5pIHQ1K+c/wArWwIPP5s+1D9jOYc/5o03M4ZDAIxsiLJ 
7bt+6kLabC8okZOz5mDiQPZ1iEAWEQxbtZ559oT30jABwjXqyKqD956oZmuAl5x1 
jhXiSpcRfrnwx1jjEA2d6sUl3LUgGPlAUb8wNqtmqS6UAYwWu7fWCe5KQ/PAo7nI 
logfVVrWY1r5pbuoRRPVo8haABO0c4BEivtOGwDsNp4hZff5k9vuTy12cOXwD4G6 
c1n0xM0= 
-----END CERTIFICATE----- 
subject= 
issuer=/CN=TEST.COM/OU=COM/O=TEST/C=VN 
--- 
No client certificate CA names sent 
--- 
SSL handshake has read 1145 bytes and written 340 bytes 
--- 
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA 
Server public key is 1024 bit 
SSL-Session: 
    Protocol  : TLSv1 
    Cipher    : DHE-RSA-AES256-SHA 
    Session-ID:
99B3C34CE19EAFE1F40DB2710BB6AE082D57156F6395564D42BB8D7020BD2012 
    Session-ID-ctx: 
    Master-Key:
763DB42C831A1C52CC7F7A67446E8603F02E6FB1E2C9751A3D3364EE6A2255B8F36236FF52B7E3D8EA70F854E20EF7C4
 
    Key-Arg   : None 
    Krb5 Principal: None 
    Start Time: 1154164306 
    Timeout   : 300 (sec) 
    Verify return code: 21 (unable to verify the first certificate) 
--- 
----------------------------------------------------------------------- 
then  I visit https://10.0.1.10/ or https://TEST.COM/  it show window
"securyty alert" with   
(!) "the name on the security certificates is invalid or does not match the
name of the site" 
I choose "yes" is show that: 
 "Forbidden: You don't have permission to access / on this server. 

Apache/1.3.36 Server at TEST.COM Port 443"" 

----------------------------------------- 
I can't find where is the problems? 
Can you fix me? 
Thank alot. 

-- 
View this message in context: 
http://www.nabble.com/How-to-run-apache-ssl-for-openca--tf2002737.html#a5571595
Sent from the openca-users forum at Nabble.com.


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] How to run apache-ssl for openca?

Reply via email to