Hi
- AGROLAN wrote:
>
> Where can I find instruction how to operate Opensa+ssl under or win32 ?
Once I'd made my certificate, I just plonked it into the directories
where the other are and updated the httpd.conf file in Apache's conf
directory to reflect the new certificate (search for SSL and you'll find
the right entry soon enough - httpd.conf is fairly well commented).
> I am using Apache under NT and I started a new server with Opensa 0.20 + ssl
> and it is working but I need to get my CA , how can I do the CA by official
> sites or How can I do it my self ?
Documentation is thin on the ground for OpenSSL (I am fortunate in that
I've used SSLeay before), and it's online help is simply an options
listing. There is an online man page in progress at
http://www.openssl.org.
Your choices are:
* Generate a self-signed key. This is free, but all browsers will warn
that the site is untrusted as the key is signed by an unknown body. For
personal use or on an Intranet you can request that it is explicitly
trusted. To make a self-signed key, cd to your OpenSSL directory and
type:
openssl req -new -key key.pem -out cert.pem -x509 -config openssl.cnf
key.pem is your private key and cert.pem is the public key.
* Get a CA to sign your key - this costs a fair bit. The cheapest is
probably Thawte (http://www.thawte.com), but also you may want to look
at Verisign and GlobalSign.
You use OpenSSL to generate a key, and then send your public key to the
CA to be signed. They send you back the signed key. To do this, use:
openssl req -new -key key.pem -out req.pem -config openssl.cnf
key.pem is the private key you copy to the server directory, and req.pem
is sent to the CA for signing. You use the key they send back as your
public key. This has the advantage that browsers will not generate an
error message.
* Become your own CA. This only holds benefits if you are in control of
the computer connecting to the server, and you have several secure
servers running. Then you can load one key to trust all of them. This
is time consuming, and I have written a cheap'n'nasty batch file to sort
this out (drop me a line if need be).
One last point, the Common Name part of your certificate should be the
name of your server people will connect to, ie. www.mydomain.com.
Otherwise it _will_ be rejected.
> How can I run Opensa+ssl as service under NT
This is in the docs in windows.html. Use apache -n "service name".
HTH,
Luke
