Hey Luke,
You did a great job in they reply below - it's almost an FAQ!
The question I have is WHERE do you put one's CN at?
Can the CN be domain.com or does it need to be host.domain.com?
Can it be *.domain.com as an example?
Jim...
--
"I know you believe you understand what you think I said,
but I am not sure you realize that what you heard is not what I meant."
Luke Ross wrote:
>
> Hi
>
> - AGROLAN wrote:
> >
> > Where can I find instruction how to operate Opensa+ssl under or win32 ?
>
> Once I'd made my certificate, I just plonked it into the directories
> where the other are and updated the httpd.conf file in Apache's conf
> directory to reflect the new certificate (search for SSL and you'll find
> the right entry soon enough - httpd.conf is fairly well commented).
>
> > I am using Apache under NT and I started a new server with Opensa 0.20 + ssl
> > and it is working but I need to get my CA , how can I do the CA by official
> > sites or How can I do it my self ?
>
> Documentation is thin on the ground for OpenSSL (I am fortunate in that
> I've used SSLeay before), and it's online help is simply an options
> listing. There is an online man page in progress at
> http://www.openssl.org.
>
> Your choices are:
>
> * Generate a self-signed key. This is free, but all browsers will warn
> that the site is untrusted as the key is signed by an unknown body. For
> personal use or on an Intranet you can request that it is explicitly
> trusted. To make a self-signed key, cd to your OpenSSL directory and
> type:
>
> openssl req -new -key key.pem -out cert.pem -x509 -config openssl.cnf
>
> key.pem is your private key and cert.pem is the public key.
>
> * Get a CA to sign your key - this costs a fair bit. The cheapest is
> probably Thawte (http://www.thawte.com), but also you may want to look
> at Verisign and GlobalSign.
>
> You use OpenSSL to generate a key, and then send your public key to the
> CA to be signed. They send you back the signed key. To do this, use:
>
> openssl req -new -key key.pem -out req.pem -config openssl.cnf
>
> key.pem is the private key you copy to the server directory, and req.pem
> is sent to the CA for signing. You use the key they send back as your
> public key. This has the advantage that browsers will not generate an
> error message.
>
> * Become your own CA. This only holds benefits if you are in control of
> the computer connecting to the server, and you have several secure
> servers running. Then you can load one key to trust all of them. This
> is time consuming, and I have written a cheap'n'nasty batch file to sort
> this out (drop me a line if need be).
>
> One last point, the Common Name part of your certificate should be the
> name of your server people will connect to, ie. www.mydomain.com.
> Otherwise it _will_ be rejected.
>
> > How can I run Opensa+ssl as service under NT
>
> This is in the docs in windows.html. Use apache -n "service name".
>
> HTH,
>
> Luke
