Dear itboi, Sorry, but you have definitely no idea, what you are doing. I'm asking me, why do you want to install OpenCA, when you don't know what it is??
You don't know about SSL and certificate validation, but this is one of the the main purposes of Openca -> certificate validation I recoment you reading a book about encryption/authentication and x.509v3, before setting up a PKI. A good one is this here: http://www.amazon.com/gp/product/0471397024/sr=8-1/qid=1154334847/ref=pd_bbs_1/002-1145735-3619241?ie=UTF8 Read it! Bye Ralf > itboi schrieb: > > Thank for replied of Nicolas MASSE. > > I did flowing you step by step: > > > $ cd /root > $ chmod 700 . > $ umask 077 > $ mkdir mypki > $ cd mypki > $ mkdir certs > $ mkdir private > $ touch index.txt > $ echo '01' > serial > $ vi openssl.cnf > $ export OPENSSL_CONF="openssl.cnf" > $ openssl req -newkey rsa -x509 -subj '/C=VN/O=TEST/OU=COM/CN=TEST.COM' -out > cacert.pem > Generating a 2048 bit RSA private key > ....................................................+++ > .............................+++ > writing new private key to './private/cakey.pem' > Enter PEM pass phrase: > Verifying - Enter PEM pass phrase: > ----- > > $ export -n OPENSSL_CONF > $ openssl req -newkey rsa:1024 -keyout server.key -nodes -subj > '/C=VN/O=TEST/OU=COM/CN=TEST.COM' -out server.req > Generating a 1024 bit RSA private key > .......................................++++++ > .............................++++++ > writing new private key to 'server.key' > ----- > > $ export OPENSSL_CONF="openssl.cnf" > $ openssl ca -in server.req -out server.crt > Using configuration from openssl.cnf > Enter pass phrase for ./private/cakey.pem: > Check that the request matches the signature > Signature ok > The Subject's Distinguished Name is as follows > countryName :PRINTABLE:'VN' > organizationName :PRINTABLE:'TEST' > organizationalUnitName:PRINTABLE:'COM' > commonName :PRINTABLE:'TEST.COM' > Certificate is to be certified until Jul 26 09:28:28 2007 GMT (365 days) Sign the certificate? [y/n]:y > > > 1 out of 1 certificate requests certified, commit? [y/n]y > Write out database with 1 new entries > Data Base Updated > > $ cat server.key > $ cat server.crt > > ------------AND THIS IS mypki/openssl.conf file---------------------- > > > [ ca ] > default_ca = mypki > > [ mypki ] > dir = . > certificate = $dir/cacert.pem > database = $dir/index.txt > new_certs_dir = $dir/certs > private_key = $dir/private/cakey.pem > serial = $dir/serial > > x509_extensions = mypki_ext > default_md = md5 > default_days = 365 > policy = mypki_policy > > [ mypki_policy ] > > [ mypki_ext ] > basicConstraints = CA:false > > [ req ] > default_bits = 2048 > default_keyfile = ./private/cakey.pem > > prompt = no > distinguished_name = root-ca_DN > x509_extensions = root-ca_ext > > [ root-ca_DN ] > commonName = TEST.COM > organizationalUnitName = TEST > organizationName = COM > countryName = VN > > [ root-ca_ext ] > basicConstraints = CA:true > > > > Then I copied server.key and server.crt (in mypki folder) to > /usr/local/apache/mykey also configed httpd.conf: > > -------------------------------------------------------------- > servername 10.0.1.10 > port 80 > Listen 80 > Listen 443 > > > <VirtualHost 10.0.1.10:443> > > SSLEnable > SSLEngine on > ServerName 10.0.1.10 > ServerAdmin [EMAIL PROTECTED] > ErrorLog /var/log/httpd/error_log > > SSLCertificateFile /usr/local/apache/mykey/server.crt > SSLCertificateKeyFile /usr/local/apache/mykey/server.key > </VirtualHost> > ------------------------------------------------------------- > > Then I start apache by: > > #....../bin/apachectl startssl > .....ok...... > > #.../etc/openca_rc start > ............ok............ > > [EMAIL PROTECTED] mypki]# openssl s_client -connect 10.0.1.10:80 > CONNECTED(00000003) > 5456:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown > protocol:s23_clnt.c:494: > > [EMAIL PROTECTED] mypki]# openssl s_client -connect 10.0.1.10:443 > CONNECTED(00000003) > depth=0 > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 > verify error:num=27:certificate not trusted > verify return:1 > depth=0 > verify error:num=21:unable to verify the first certificate > verify return:1 > --- > Certificate chain > 0 s: > i:/CN=TEST.COM/OU=COM/O=TEST/C=VN > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIICQTCCASmgAwIBAgIBATANBgkqhkiG9w0BAQQFADA9MREwDwYDVQQDEwhURVNU LkNPTTEMMAoGA1UECxMDQ09NMQ0wCwYDVQQKEwRURVNUMQswCQYDVQQGEwJWTjAe Fw0wNjA3MjkwODQwMDRaFw0wNzA3MjkwODQwMDRaMAAwgZ8wDQYJKoZIhvcNAQEB BQADgY0AMIGJAoGBAKhERmR34IWB9Lzuo6IETPHs1qwRs5RUbCkBvd85Uaq1kSQ9 40rHWKAizdazKFhJOG4Mmyjicp8ixcEJuKsq2wmHjLEzZwafe8yBDmW7K7XVUu86 oewhODqVK8dIXnJJMXuiw2TAAtwkDfUJkKWb9Pi6ljbZtT99h/Zk2Db3lo5HAgMB AAGjDTALMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEEBQADggEBACzi6bQgjeKf2OZ5 JSMknqQ5ehlzmB6u27I7FRoXDr9oF9UrZ5S4ycZPaemoTmaVUi9Ns4E2WQ5AZckB 73nREPq8x3qWlClsuGXU5pIHQ1K+c/wArWwIPP5s+1D9jOYc/5o03M4ZDAIxsiLJ 7bt+6kLabC8okZOz5mDiQPZ1iEAWEQxbtZ559oT30jABwjXqyKqD956oZmuAl5x1 jhXiSpcRfrnwx1jjEA2d6sUl3LUgGPlAUb8wNqtmqS6UAYwWu7fWCe5KQ/PAo7nI logfVVrWY1r5pbuoRRPVo8haABO0c4BEivtOGwDsNp4hZff5k9vuTy12cOXwD4G6 c1n0xM0= > -----END CERTIFICATE----- > subject= > issuer=/CN=TEST.COM/OU=COM/O=TEST/C=VN > --- > No client certificate CA names sent > --- > SSL handshake has read 1145 bytes and written 340 bytes > --- > New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA > Server public key is 1024 bit > SSL-Session: > Protocol : TLSv1 > Cipher : DHE-RSA-AES256-SHA > Session-ID: > 99B3C34CE19EAFE1F40DB2710BB6AE082D57156F6395564D42BB8D7020BD2012 > Session-ID-ctx: > Master-Key: > 763DB42C831A1C52CC7F7A67446E8603F02E6FB1E2C9751A3D3364EE6A2255B8F36236FF52B7E3D8EA70F854E20EF7C4 > Key-Arg : None > Krb5 Principal: None > Start Time: 1154164306 > Timeout : 300 (sec) > Verify return code: 21 (unable to verify the first certificate) > --- > ----------------------------------------------------------------------- then I visit https://10.0.1.10/ or https://TEST.COM/ it show window "securyty alert" with > (!) "the name on the security certificates is invalid or does not match the > name of the site" > I choose "yes" is show that: > "Forbidden: You don't have permission to access / on this server. > > Apache/1.3.36 Server at TEST.COM Port 443"" > > ----------------------------------------- > I can't find where is the problems? > Can you fix me? > Thank alot. > > -- > View this message in context: > http://www.nabble.com/How-to-run-apache-ssl-for-openca--tf2002737.html#a5571595 Sent from the openca-users forum at Nabble.com. > > > ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ > Openca-Users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openca-users > -- ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
